Risk Assessment Instructions

COMMONWEALTH OF VIRGINIA
Information Technology Resorce Management

Information Technology Ris! Management
Gi"eline
A##en"i$ % & Ris! Assessment Instrctions
Virginia Information Technologies Agency (VITA)
ITRM Gi"eline 'EC()*+),
A##en"i$ % & Ris! Management Gi"eline Assessment Instrctions
Effecti-e %ate. ,/0,,0/))*
TA1LE OF CONTENT'
23R2O'E4 CA3TION' 5 FORMAT 666666666666666666666666666666666666666666666666666666666666666666666666666,
E7AM2LE RI'8 A''E''MENT6666666666666666666666666666666666666666666666666666666666666666666666666666666666/
RI'8 A''E''MENT RE2ORT TEM2LATE6666666666666666666666666666666666666666666666666666666666669:
Appendix D, page i
23R2O'E4 CA3TION' 5 FORMAT
23R2O'E
This document contains instructions to implement the methodology described in Section 6 (is!
Assessment) of the Information Technology (IT) is! "anagement #uideline, IT" #uideline
S$%&&'6(')* This document is Appendix D of that #uideline, and is published under separate
co+er because of its si,e* This template does not stand alone and should be read only in
con-unction .ith the #uideline*
The purpose of this document is to assist each %ommon.ealth of Virginia (%/V) Agency in
assessing the ris!s to its sensiti+e IT systems and data, and protecting the resources that support
the Agency0s mission* These instructions are based on the 1ational Institute of Standards and
Technology (1IST) Special 2ublication (S2) 3''(4', 5is! "anagement #uide for Information
Technology Systems6 and contain a recommended format for %/V ris! assessments*
CA3TION' REGAR%ING 3'E OF THI' %OC3MENT
The example ris! assessment in this document7
)* Does not document compliance .ith all re8uirements of the %/V IT" IT Security
Policy, IT Security Standard and IT Security Audit Standard. These omissions are
designed to illustrate control .ea!nesses, and must not be construed to relie+e any %/V
Agency of its responsibility to comply .ith all applicable re8uirements of IT Security
Policy, IT Security Standard and IT Security Audit Standard.
9* %ontains the names of fictional indi+iduals, corporations, and products* 1o similarity to
any actual persons, li+ing or dead, nor to any actual corporation or product, past, present,
or future, is intended* In addition no such similarity to any actual corporation or product,
past, present, or future may be construed to represent an endorsement of any such
corporation or product*
FORMAT
This document uses different fonts for instructions and examples, as follo.s7
Times 1e. oman text, including all of the text in this section, is pro+ided as
instructions for completing a ris! assessment*
Appendix D, page )
Arial Bold text inside a shaded text border is example text* In the examples, the template uses
a fictional system called the :udget ;ormulation System (:;S), o.ned and operated by the
;inancial /perations Di+ision (;/D) of a fictional agency called the :udget ;ormulation
Agency (:;A)*
Times New Roman italic text is pro+ided as bac!ground information* It is pro+ided for
better understanding of ho. to complete each section of the is! Assessment eport, or so
that the author !no.s to extend or replicate a section, such as by adding Agency<specific
threats or +ulnerabilities to the ris! matrix*
This document consists of t.o primary sections7
o An example ris! assessment, .ith instructions and explanatory material for :;S* This
section is intended to pro+ide guidance to %/V agencies on ho. to complete ris!
assessments of their sensiti+e IT systems*
o A blan! is! Assessment eport containing the section headings and tables from the
recommended format is! Assessment eport, but no content* This section is intended for
use by %/V agencies in completing is! Assessment eports for their sensiti+e systems*
E7AM2LE RI'8 A''E''MENT
The example is! Assessment begins .ith the co+er sheet on the follo.ing page*
Appendix D, page 9
$xample is! Assessment eport
Information Technology Risk
Assessment For
Budget Formulation Agency
Budget Formulation System
Version 1.0
uly !00"
#re$ared For%
Financial &$erations 'i(ision
1!) *. *lm Street
Richmond+ VA !)!,,
#re$ared By%
Financial &$erations 'i(ision
1!) *. *lm Street
Richmond+ VA !)!,,
Appendix D, page 4
Risk Assessment Annual Document Review History
Re(ie- 'ate Re(ie-er
uly+ !00. ane ones
uly+ !00/ ane ones
The conditions of the ris! assessment change as the agency0s business en+ironment changes* e+ie. the
ris! assessment annually (or more fre8uently) to reflect those changes and impro+e the +alidity of the
assessment*
Appendix D, page =
Appendix D, page &
TAB0* &F 1&2T*2TS
1 I2TR&'31TI&2 ....................................................................................................... "
! IT S4ST*5 16ARA1T*RI7ATI&2 ......................................................................... ,
) RIS8 I'*2TIFI1ATI&2 .......................................................................................... 19
9 1&2TR&0 A2A04SIS ........................................................................................... !0
. RIS8 0I8*0I6&&' '*T*R5I2ATI&2 ................................................................. )!
/ RIS8 I5#A1T A2A04SIS ...................................................................................... ).
" &V*RA00 RIS8 '*T*R5I2ATI&2 ...................................................................... ):
: R*1&55*2'ATI&2S ........................................................................................... 91
, R*S30TS '&135*2TATI&2 .............................................................................. 99
0IST &F *;6IBITS
0IST &F FI<3R*S
FI<3R* 1% IT S4ST*5 B&32'AR4 'IA<RA5 .................................................................... 1 )
FI<3R* !% I2F&R5ATI&2 F0&= 'IA<RA5 ......................................................................... 1)

Appendix D, page 6
LIST OF TABLES
TAB0* A% ....................................................................................... RIS8 10ASSIFI1ATI&2S
:
TAB0* B% ITS4ST*5 I2V*2T&R4 A2' '*FI2ITI&2 . *RR&R% R*F*R*21* S&3R1* 2&T F&32'
TAB0* 1% ........................................................................................... T6R*ATS I'*2TIFI*'
*RR&R% R*F*R*21* S&3R1* 2&T F&32'
TAB0* '% .............................................................. T6R*ATS+ V302*RABI0ITI*S+ A2' RIS8S
1:
TAB0* *% .......................................................................................... S*13RIT4 1&2TR&0S
*RR&R% R*F*R*21* S&3R1* 2&T F&32'
TAB0* F% RIS8S>1&2TR&0S>FA1T&RS 1&RR*0ATI&2 ...................................................... )0
TAB0* <% ............................................................................ RIS8 0I8*0I6&&' '*FI2ITI&2S
*RR&R% R*F*R*21* S&3R1* 2&T F&32'
TAB0* 6% ................................................................................. RIS8 0I8*0I6&&' RATI2<S
*RR&R% R*F*R*21* S&3R1* 2&T F&32'
TAB0* I% RIS8 I5#A1T RATI2< '*FI2ITI&2S ........ *RR&R% R*F*R*21* S&3R1* 2&T F&32'
TAB0* % RIS8 I5#A1T A2A04SIS ........................ *RR&R% R*F*R*21* S&3R1* 2&T F&32'
TAB0* 8% ........................................................................... &V*RA00 RIS8 RATI2< 5ATRI;
, INTRO%3CTION
The introduction should briefly describe the purpose of this ris! assessment and include a brief
description of the approach used to conduct the ris! assessment* The description of the approach
should include7
The participants and their roles in the ris! assessment in relation to their assigned
responsibilities at the agency>
The techni8ues used to gather the necessary information (e*g*, the use of tools,
8uestionnaires)> and
The ris! classifications used*
Agencies are encouraged to classify ris!s as ?igh, "oderate or @o. in accordance .ith the
definitions in the Standard
1
* The definitions of ris! classifications should be included in Table A
of the is! Assessment eport*
1 Introduction
Staff of the 1ommon-ealth of Virginia ?1&V@ Budget Formulation Agency ?BFA@ $erformed this
risk assessment for the Budget Formulation System ?BFS@ to satisfy the reAuirement of ITR5
Standard S*1.01>01 to $erform an assessment at least e(ery ) years or -hene(er a maBor change
is made to a sensiti(e system. The last risk assessment for this system -as com$leted on uly 10+
!009.
This risk assessment Cuilds u$on earlier risk assessments $erformed Cy the Budget Formulation
Agency staff. In addition+ an IT Security Audit+ conducted Cy BFA Internal Audit Ser(ices staff on
une !9+ !00" -as utiliDed. This risk assessment -as $erformed in accordance -ith a
methodology descriCed in ITR5 <uideline S*1.0;>0;+ and utiliDed inter(ie-s and Auestionnaires
de(elo$ed Cy BFA staff to identify BFS
VulneraCilitiesE
ThreatsE
RisksE
Risk 0ikelihoodsE and
Risk Im$acts.
In addition+ the risk assessment utiliDed ITRS8+ an automated risk assessment tool.
#artici$ants and their roles in this risk assessment included the follo-ing%
ane ones+ BFA Information Security &fficer+ re(ie-ed the Risk Assessment re$ort $rior
to com$letionE
1
These definitions are based on definition in ;ederal Information 2rocessing Standards 2ublication )AA (;I2S )AA)
Appendix D, page B
ohn ames+ BFS System &-ner+ managed the risk assessment $rocess+ using BFA
Information Risk 5anagement staff to conduct the risk assessment+ as -ell as $ro(iding
information through inter(ie-s and com$leting Auestionnaires.
5ike =illiams+ BFS 'ata &-ner+ $ro(ided information through inter(ie-s and through
com$leting AuestionnairesE
Bill 5ichaels+ BFS 'ata &-ner+ $ro(ided information through inter(ie-s and through
com$leting AuestionnairesE
Bea RoCerts+ of #artner Systems+ Inc. ?#SI@+ BFS 'ata 1ustodian+ o$erational and technical
su$$ort staff+ and BFS System Administrators $ro(ided reAuired technical information
regarding BFS+ and $ro(ided information through inter(ie-s and Auestionnaires.
Table A defines the risk leels !hi"h, moderate, low# ado$ted to classify risks to the A"ency, in the context
of the %IA.
TaCle !% Risk 0e(els
Appendix D, page 3
TaCle A% Risk 1lassifications
Risk 0e(el Risk 'escri$tion
6igh The loss of confidentiality+ integrity+ or a(ailaCility could Ce ex$ected to ha(e a
se(ere or catastro$hic ad(erse effect on organiDational o$erations+
organiDational assets+ or indi(iduals.
5oderate The loss of confidentiality+ integrity+ or a(ailaCility could Ce ex$ected to ha(e a
serious ad(erse effect on organiDational o$erations+ organiDational assets+ or
indi(iduals.
0o- The loss of confidentiality+ integrity+ or a(ailaCility could Ce ex$ected to ha(e a
limited ad(erse effect on organiDational o$erations+ organiDational assets+ or
indi(iduals.
/ IT ';'TEM CHARACTERI<ATION
IT system characteri,ation defines the scope of the ris! assessment effort* Cse the pre+iously(
de+eloped IT System In+entory and Definition Document (Appendix : of the #uideline) as
input for this step> some additional information is re8uired* The purpose of this step is to
identify the IT system, to define the ris! assessment boundary and components, and to identify
the IT system and data sensiti+ity
! BFS Identification
9*) IT System Identification
Include in the is! Assessment eport the pre+iously de+eloped IT System In+entory and
Definition Document*
Appendix D, page A
TaCle B% IT System In(entory and 'efinition
IT System Inventory and Definition Document
I. IT System Identification and Ownership
IT System ID BFA>001 IT System
Common ame
Budget Formulation System ?BFS@
Owned By Budget Formulation Agency ?BFA@
Financial &$erations 'i(ision ?F&'@
!hysica"
Location
BFA 'ata 1enter
1!) *. *lm Street+ Richmond+ VA !)!,,
#a$or Business
Function
*naCle $rocessing of current>year Cudget details and future>year Cudget
$lans
System Owner
!hone um%er
ohn ames
?:09@ ,",>)"."
System Administrator&s'
!hone um%er
#artner Systems+ Inc.
?:::@ ,:,>:,:,
Data Owner&s'
!hone
um%er&s'
5ike =illiams
?:09@ ,",>)9.!
Bill 5ichaels
?:09@ ,",>)9..
Data Custodian&s'
!hone um%er&s'
Bea RoCerts
#artner Systems+ Inc.
?:::@ ,:,>:,:,
Other (e"evant
Information
BFS has Ceen in $roduction since 'ecemCer 1,,/
Appendix D, page )'
TaCle B% System In(entory and 'efinition ?continued@
II. IT System Boundary and Components
IT System
Description and
Components
BFS is a distriCuted client>ser(er a$$lication trans$orted Cy a net-ork $ro(ided Cy
#SI+ a third>$arty. The maBor com$onents of the BFS include%
F A S$arc S32=+ 3ltra *nter$rise ).00 ser(er running Sun&S .." ?Solaris "@. The
ser(er has four ?9@ $rocessors running at !9: 56D+ !09: 5B of memory+ 9 SBus
cards+ 9 #1I cards+ and total disk storage ca$acity of )/:./ <B ?)/ dri(es x 10 <B@.
This system is $ro(ided to BFA under contract Cy #SI+ and this Risk Assessment
relies on information regarding system hard-are and &$erating System soft-are
$ro(ided to BFA Cy #SI.
F &ne ?1@ net-ork interface that is connected to BFAGs data center 1isco s-itch. This
interface is assigned t-o uniAue I# addresses.
F An &racle ,i data store -ith t-o ?!@ commercial off>the>shelf ?1&TS@ a$$lication
modules ?AB1 and ;47@ $urchased from &racle 1or$oration.
IT System
Interfaces
F An interface Cet-een BFS and the Budget 1onsolidation System ?B1S@. This
interface allo-s only the B1S to securely transmit data using the Secure 1o$y
#rotocol ?S1#@ on $ort !! into the BFS nightly Cy a cron BoC that refreshes taCles in
the BFS &racle store -ith selected data from B1S taCles.
F A modem for emergency dial>in su$$ort and diagnostics+ secured (ia the use of a
one>time $ass-ord authentication mechanism.
F 1lient soft-are located -ithin the AgencyGs =indo-s !00) Ser(er Acti(e 'irectory
'omain to manage access to BFS. This soft-are utiliDes encry$ted
communications Cet-een the client and the ser(er and connects to the ser(er on
$ort 1.!1. &nly users -ith the a$$ro$riate rights -ithin the BFA 'omain can access
the client soft-are+ although a se$arate client login and $ass-ord is reAuired to
gain access to BFS data and functions. This access is Cased on &racle roles and is
granted Cy the BFS system administrators to users Cased on their BoC functions.
IT System
Boundary
F The demarcation Cet-een the BFS and the 0ocal Area 2et-ork ?0A2@ is the
$hysical $ort on the 1isco s-itch that connects the BFS to the net-ork. The s-itch
and other net-ork com$onents are not considered to Ce $art of the BFS.
F BFS su$$ort $ersonnel $ro(ide the o$eration and maintenance of the a$$lication.
The BFS $ersonnel $ro(ide the o$eration and maintenance of the ser(er and
o$erating system. The BFS Coundary is the follo-ing directories and their suC>
suCdirectories% H(arHo$tH&racle+ HdataCasesH&racle+ and Ho$tHodCc. &ther directories
are outside the BFS Coundary.
F BFS is res$onsiCle for recei(ing data from the B1S. The B1S is a se$arate system
and is outside the BFS Coundary.
F 1lient access to the BFS ser(er is controlled Cy BFAGs =indo-s !00) Ser(er Acti(e
'irectory domain. This access are included -ithin the BFS system Coundary. The
o(erall BFA =indo-s !00) Ser(er Acti(e 'irectory domain+ ho-e(er+ is not
considered to Ce $art of the BFS+ and is outside the BFS Coundary.
Appendix D, page ))
TaCle B% System In(entory and 'efinition ?continued@
III. IT System Interconnections
A)ency or
Or)ani*ation
IT System ame IT System ID IT System Owner Interconnection
Security
A)reement
Summary
BFA Budget
1onsolidation
System
B1S ohn ames 2o formal
agreement
reAuired+ as
systems ha(e
common o-ner
#artner Ser(ices+
Inc. ?#SI@
*nter$rise 'ata
2et-ork
*'2 Bea RoCerts Agreement is in
$laceE ex$ires
1!H)1H!00"E under
renegotiation
I+. IT System and Data Sensitivity
Type of Data Sensitivity (atin)s
Inc"ude (ationa"e for each (atin)
Confidentia"ity Inte)rity Avai"a%i"ity
1urrent 4ear
Budget 'etails
0o-
'ata is $uClic
information
6igh
BFS is system of
record for fiscal
year Cudget data
for all 1&V
Agencies
5oderate
'ata is used less than daily Cy all
1&V Agencies to allocate resources
Future 4ear
Budge #lans
6igh
Release of the
data Cefore it is
final could Ce
damaging to 1&V
and its Agencies
5oderate
BFS is system of
record for future
year Cudget
$lans for all 1&V
Agencies
0o-H6igh
0o- during most of yearE high during
Cudget $re$aration
Overa"" IT
System
Sensitivity
(atin) and
C"assification
Overa"" IT System Sensitivity (atin)
Must be high if sensitivity of any data type is rated high on any criterion
,I-, #ODE(ATE LO.
IT System C"assification
Must be Sensitive if overall sensitivity is high; consider as Sensitive if overall
sensitivity is moderate
SESITI+E O/SESITI+E
9*9 IT System :oundary D %omponents included in the is! Assessment
Csing the system boundary information already documented in Table : (see Section 4*9*4 of the
#uideline), +erify that the components that are included in this ris! assessment are defined, and
components not included are defined as appropriate* If the IT System under assessment connects
or shares data .ith other IT Systems, ris!s associated .ith these other IT Systems should be
considered in the ris! assessment, e+en though the other IT Systems themsel+es .ill not be
reassessed*
In most cases, the com$onents included in the risk assessment will be the same as those within
the system boundary !see section &.'.& of the Risk (ana"ement )uideline#. A"encies, howeer,
must make an affirmatie decision re"ardin" com$onents included in the risk assessment,
includin" ma*or com$onents that could create risk for the IT system.
+or exam$le, an IT system !System A# may make use of a third,$arty network infrastructure, but
since the third,$arty network is sub*ect to a se$arate risk assessment, should not be assessed
a"ain. -oweer, the System A risks assessment should reference the network risk assessment,
and hi"hli"ht any $ertinent network risks. .stablishin" $arameters in which the system o$erates
"uarantees consideration of all releant threats, ulnerabilities and risks, and an ex$licit
decision as to the sco$e of the assessment.
The key $art of definin" the com$onents included in the risk assessment is to look at where IT
systems meet and to define where the diidin" line is located. This a$$lies not only to $hysical
connections, but also to lo"ical connections where data is exchan"ed. The owner!s# of this
system and the owner!s# of the interconnected systems must a"ree on the com$onents included in
the risk assessment of each system, so that all com$onents are the res$onsibility of someone, and
no com$onents are coered more than once. In the eent that the IT system seres more than one
A"ency, the details of this use should be clearly defined in a written a"reement. The a"reement
between system owners should be based on non,arbitrary characteristics, such as fundin"
boundaries, functional boundaries, $hysical "a$s, contractual boundaries, o$erational
boundaries and transfer of information custody.
9*4 Additional IT System Documentation
In addition to the System In+entory and Definition document, include in this section of the is!
Assessment eport7
A description or diagram of the system and net.or! architecture, including all
components of the system and communications lin!s connecting the components of the
system, associated data communications and net.or!s*
A description or a diagram depicting the flo. of information to and from the IT system,
including inputs and outputs to the IT system and any other interfaces that exist to the
system*
Appendix D, page )9
Appendix D, page )4
Figure 1% IT System Boundary 'iagram

A high>le(el diagram de$icting the BFS information flo- is $ro(ided in Figure !.
Figure !: Information Flo- 'iagram

BFS
BCS
Client

Output is stored in electronic format
and is printed for archival purposes
and includes:
Current Year Budget Details
Future Year Budget Plans
The BFS listener listens for client
connections on TCP port !" and for SCP
connections on port ""#
Budget data generated $%
BCS is pushed to BFS nightl%
using a cron &o$#
The Secure Cop% Protocol
'SCP( is used to securel%
perform this operation#
)sers manuall% enter
*ee+l% and monthl%
$udget figures#
Communication to,from
BFS utili-es a proprietar%
protocol that encr%pts all
data at the pac+et level#
= RI'8 I%ENTIFICATION
The purpose of this step is to identify the ris!s to the IT system* is!s occur in IT systems .hen
+ulnerabilities (i*e*, fla.s or .ea!nesses) in the IT system or its en+ironment can be exploited by
threats (i*e* natural, human, or en+ironmental factors)*
+or exam$le, /racle 0i will sto$ res$ondin" when sent a counterfeit $acket lar"er than 12,222
bytes. This flaw constitutes a ulnerability. A malicious user or com$uter criminal mi"ht
ex$loit this ulnerability to sto$ an IT system from functionin". This $ossibility constitutes a
threat. This ulnerability,threat $air combines to create a risk that an IT system could become
unaailable.
The process of ris! identification consists of three components7
)* Identification of +ulnerabilities in the IT system and its en+ironment>
9* Identification of credible threats that could affect the IT system> and
4* 2airing of +ulnerabilities .ith credible threats to identify ris!s to .hich the IT system
is exposed*
After the $rocess of risk identification is com$lete, likelihood and im$act of risks will be
considered.
) Risk Identification
4*) Identification of Vulnerabilities
The first component of ris! identification is to identify +ulnerabilities in the IT system and its
en+ironment* There are many methodologies or frame.or!s for determining IT system
+ulnerabilities* The methodology should be selected based on the phase of the IT system is in its
life cycle* ;or an IT system7
In the 2ro-ect Initiation 2hase, the search for +ulnerabilities should focus on the
organi,ations IT security policies, planned procedures and IT system re8uirements
definition, and the +endor0s security product analyses (e*g*, .hite papers)*
In the 2ro-ect Definition 2hase, the identification of +ulnerabilities should be
expanded to include more specific information* Assess the effecti+eness of the planned
IT security features described in the security and system design documentation*
In the Implementation 2hase, the identification of +ulnerabilities should also include
an analysis of the security features and the technical and procedural security controls
used to protect the system* These e+aluations include acti+ities such as executing a
security self(assessment, the effecti+e application of automated +ulnerability
scanningEassessment tools andEor conducting a third(party penetration test* /ften, a
Appendix D, page )=
mixture of these and other methods is used to get a more comprehensi+e list of
+ulnerabilities*
Include in the is! Assessment eport a description of ho. +ulnerabilities .ere determined* If a
is! Assessment has been performed pre+iously, it should contain a list of +ulnerabilities that
should be assessed to determine their continued +alidity* In addition, assess and document if any
ne. +ulnerabilities exist*
).1 Identification of VulneraCilities
BFS is in the im$lementation $hase of its life cycle. Accordingly+ identification of (ulneraCilities
for BFS included%
Inter(ie-s -ith the BFA System &-ner+ 'ata &-ner+ and BFA o$erational and technical
su$$ort $ersonnelE
3se of the automated ITRS8 toolE and
Re(ie- of (ulneraCilities identified in the $re(ious BFA Risk Assessment.
Vulnerabilities that combine .ith credible threats (see Section 4*9) create a ris! to the IT system
that .ill be listed in step 4*4
4*9 Identification of %redible Threats
The purpose of this component of ris! identification is to identify the credible threats to the IT
system and its en+ironment* A threat is credible if it has the potential to exploit an identified
+ulnerability*
Table %, at the end of this section, contains examples of threats* The threats listed in the table are
pro+ided only as an example and are specific to the example :;S system* Agencies are
encouraged to consult other threat information sources, such as 1IST S2 3''(4'* The goal is to
identify all credible threats to the IT system, but not to create a uni+ersal list of general threats*
Include in the is! Assessment eport a description of ho. threats .ere determined* If a is!
Assessment has been performed pre+iously, it should contain a list of credible threats that must
be assessed to determine their continued +alidity* In addition, assess and document if any ne.
+ulnerabilities exist*
Include a brief description of ho. credible threats .ere determined and a list of the credible
threats in the is! Assessment eport*
Appendix D, page )&
).! Identification of 1rediCle Threats
1rediCle threats to the Budget Formulation System -ere identified Cy%
1onsulting the $re(ious BFS Risk Assessment and analyDing ho- the BFS threat
en(ironment has changed in the $ast three yearsE
Inter(ie-ing the BFS System &-ner+ 'ata &-ner+ and System Administrators to gather
information aCout system>s$ecific threats to the BFSE and
3se of the automated ITRS8 tool to identify threats to the BFS.
4*4 Identification of is!s
The final component of ris! identification is to pair identified +ulnerabilities .ith credible threats
that could exploit them and expose the follo.ing to significant ris!7
IT system>
The data it handles> and
The organi,ation*
In order to focus risk mana"ement efforts on those risks that are likely to materiali3e, it is
im$ortant both to be com$rehensie in deelo$in" the list of risks to the IT system and also to
limit the list to $airs of actual ulnerabilities and credible threats. +or exam$le, as noted at the
be"innin" of section &, /racle 0i will sto$ res$ondin" when sent a counterfeit $acket lar"er than
12,222 bytes. This flaw constitutes ulnerability. A malicious user or com$uter criminal mi"ht
ex$loit this ulnerability to sto$ an IT system from functionin". This $ossibility constitutes a
Appendix D, page )6
TaCle 1% 1rediCle Threats Identified for the BFS
Air 1onditioning Failure *arthAuakes 2uclear Accidents
Aircraft Accident *lectromagnetic Interference #andemic
Biological 1ontamination Fire ?5aBor or 5inor@ #o-er 0oss
Blackmail FloodingH=ater 'amage SaCotage
BomC Threats FraudH*mCeDDlement Terrorism
1hemical S$ills 6ard-are Failure Tornados+ 6urricanes+
BliDDards
1ommunication Failure 6uman *rror 3nauthoriDed Access or 3se
1om$uter 1rime 0oss of 8ey #ersonnel Vandalism andHor Rioting
1yCer>Terrorism 5alicious 3se =ork$lace Violence
threat. This ulnerability,threat $air combines to create a risk that an IT system could become
unaailable.
If an IT system runnin" /racle 0i is not connected to a network, howeer, such as the certificate
authority for a Public 4ey Infrastructure !P4I# system, then there is no credible threat, and so
no ulnerability,threat $air to create a risk.
2ro+ide a brief description of ho. the ris!s .ere identified, and prepare a table of all ris!s
specific to this IT system* In the table, each +ulnerability should be paired .ith at least one
appropriate threat, and a corresponding ris!* The ris!s should be numbered and each ris! should
include a description of the results if the +ulnerability .as to be exploited by the threat* $nter the
data into $xhibit ) (this data entry can be done by means of cutting and pasting)*
).) Identification of Risks
Risks -ere identified for the BFS Cy matching identified (ulneraCilities -ith crediCle threats that
might ex$loit them. This $airing of (ulneraCilities -ith crediCle threats is documented in TaCle '.
All identified risks ha(e Ceen included.
Table D, on the next page, documents example +ulnerabilities, threats and ris!s for the :;S* The
list in Table D is an example and pertains only to the fictional :;S*
Appendix D, page )B
TaCle '% VulneraCilities+ Threats+ and Risks
Risk
2o.
VulneraCility Threat
Risk of
1om$romise of
Risk Summary
1
=et>$i$e s$rinkler
system in BFS
'ata 1enter.
Fire A(ailaCility of BFS
and data.
Fire -ould acti(ate
s$rinkler system
causing -ater
damage I com$ro>
mising the a(ailaCility
of BFS.
!
BFS user identifiers
?I's@ no longer
reAuired are not
remo(ed from BFS
in timely manner.
3nauthoriDed 3se 1onfidentiality I
integrity of BFS
data.
3nauthoriDed use of
unneeded user I's
could com$romise
confidentiality I
integrity of BFS data.
)
BFS access
$ri(ileges are
granted on an ad>
hoc Casis rather
than using
$redefined roles.
3nauthoriDed Access 1onfidentiality I
integrity of BFS
data.
3nauthoriDed access
(ia ad>hoc $ri(ileges
could com$romise of
confidentiality I
9
Bogus T1#
$ackets ?J .0000
Cytes@ directed at
$ort 1.!1 -ill
cause BFS to sto$
res$onding.
5alicious 3se
1om$uter 1rime
A(ailaCility of BFS
and data.
'enial of ser(ice
attack (ia large
Cogus $ackets sent
to $ort 1.!1 could
render BFS
una(ailaCle for use.
.
2e- $atches to
correct fla-s in
a$$lication
security design
ha(e not Ceen
a$$lied.
5alicious 3se
1om$uter 1rime
1onfidentiality I
integrity of BFS
data.
*x$loitation of un>
$atched a$$lication
security fla-s could
com$romise
confidentiality I
/
3ser names I
$ass-ords are in
scri$ts I
initialiDation files.
5alicious 3se
1om$uter 1rime
1onfidentiality I
integrity of BFS
data.
*x$loitation of
$ass-ords in scri$t I
initialiDation files
could result in
com$romise of confi>
dentiality I integrity
of BFS data.
"
#ass-ords are not
set to ex$ireE
regular $ass-ord
changes are not
enforced.
5alicious 3se
1om$uter 1rime
1onfidentiality I
integrity of BFS
data.
1om$romise of
unex$iredHunchanged
$ass-ords could
result in com$romise
of confidentiality I
Appendix D, page )3
TaCle '% VulneraCilities+ Threats+ and Risks ?continued@
Risk
2o.
Risk of
1om$romise of
Risk Summary
:
K<enericL accounts
found in the
dataCase ?e.g.+ test+
share+ guest@.
5alicious 3se
1om$uter 1rime
1onfidentiality I
integrity of BFS
data.
3se of generic BFS
accounts could result
in com$romise of
confidentiality I
integrity of sensiti(e
BFS data.
,
Remote &S
authentication is
enaCled Cut not
used.
5alicious 3se
1om$uter 1rime
1onfidentiality I
integrity of BFS
data.
Remote access is not
currently used Cy
BFSE enaCling this
access -hen not
necessary could
BFS data.
10
0ogin encry$tion
setting is not
$ro$erly
configured.
5alicious 3se
1om$uter 1rime
1onfidentiality I
integrity of BFS
data.
3nencry$ted
$ass-ords could Ce
com$romised+
resulting in
com$romise of
confidentiality I
BFS data.
11
Sensiti(e BFS data
is stored on 3SB
dri(es
5alicious 3se
1om$uter 1rime
1onfidentiality of
BFS data.
0oss or theft of 3SB
dri(es could result in
com$romise of
confidentiality of BFS
data.
Appendix D, page )A
9 CONTROL ANAL;'I'
The purpose of this step is to document a list of security controls used for the IT system* These
controls should correspond to the re8uirements of the Policy, Standard, and Audit Standard. The
analysis should also specify .hether the control is in(place (i*e*, current) or planned, and .hether
the control is currently enforced* In the next step these controls are matched .ith the ris!s
identified in Table D, in order to identify those ris!s that re8uire additional response*
Table . is an exam$le of a security controls list that corres$onds to the re5uirements of the
Policy, Standard, and Audit Standard. This list shows controls that are in,$lace, as well as those
$lanned for im$lementation.
9 1ontrol Analysis
TaCle * documents IT security controls $lanned and in $lace for the BFS system.
Appendix D, page 9'
Appendix D, page 9)
TaCle *% Security 1ontrols
1ontrol Area
In>#laceH
#lanned
'escri$tion of 1ontrols
1 Risk 5anagement
1.1 IT Security
Roles I
Res$onsiCilities
In $lace 1. ReAuired IT Security roles ha(e Ceen assigned in -riting+ Coth for
BFA as a -hole+ I for the BFS. ohn 6o-ard+ BFA 1ommissioner+
has designated ane ones as BFA IS& I delegated the
assignment of other IT security roles to her.
!. =ith res$ect to BFS+ ane ones has assigned indi(iduals to the
reAuired IT security roles+ as documented else-here in this re$ort.
1.! Business Im$act
Analysis
In $lace 1. BFA management I staff conducted I documented a Business
Im$act Analysis ?BIA@ of the Agency during une !009E this BIA
-as u$dated in 5ay !00". The BFA BIA notes that the BFS
su$$orts essential BFA functions.
1.) IT System I
'ata Sensiti(ity
1lassification
In $lace 1. BFA has documented classification of the sensiti(ity of BFA IT
systems I data+ including the BFS. This classification notes the
high sensiti(ity of much of the data handled Cy the BFS.
1.9 IT System
In(entory I
'efinition
In $lace 1. BFA has documented an in(entory of its sensiti(e IT systemsE this
in(entory includes the BFSE the System 'efinition of BFS is
included in Section ! of this Risk Assessment re$ort.
1.. Risk
Assessment
In $lace 1. This re$ort documents the Risk Assessment of BFS in uly !00"+
Cuilding on an earlier BFS Risk Assessment in uly !009.
#lanned !. BFA -ill (alidate the current Risk Assessment through annual self>
assessments in uly !00: I uly !00,+ I -ill conduct the next
formal BFS RA in uly !010+ or sooner+ if necessary.
1./ IT Security
Audits
In $lace 1. Anne 8eller+ BFA Internal Audit 'irector manages IT Security
Audits for BFA.
!. An IT Security Audit of BFS -as conducted I documented Cy BFA
Internal Audit staff on une !9+ !00".
). ReAuired re$orting for the BFS 1A# is in $lace.
#lanned 9. Future IT Security Audits of BFA are $lanned Ciennially.
! IT 1ontingency #lanning
!.1 1ontinuity of
&$erations
#lanning
In $lace 1. Sam RoCinson is the BFA 1ontinuity of &$erations #lan ?1&&#@
1oordinator I also ser(es as the focal $oint for IT 1&&# I
'isaster Reco(ery ?'R@ acti(ities.
!. The BFA 1&&# documents the reAuirements for !9>hour reco(ery
of the BFS I its data to su$$ort Cudget $re$aration+ I "!>hour
reco(ery of BFS I its data at other times.
). The BFA 1&&# identifies all $ersonnel reAuired for its execution+
including $ersonnel reAuired for reco(ery of the BFS+ I includes
emergency declaration+ notification+ I o$erations $rocedures.
9. The 1&&# document is classified as sensiti(eE access to this
document is restricted to 1&&# team memCers+ I a co$y of the
1&&# is stored off site at 'ata Reco(ery Ser(ices+ Inc.+ BFAGs
reco(ery site $artner.
.. Reco(ery $rocedures for BFS -ere most recently tested during
BFAGs annual 1&&# exercise on 5ay 1:>!0+ !00".
#lanned /. The BFA 1&&#+ including com$onents relating to the BFS is
currently Ceing u$dated as a result of the 1&&# exerciseE
com$letion is ex$ected Cy Se$temCer 1+ !00".
". Reco(ery $rocedures for BFS -ill next Ce tested during the BFA
1&&# exercise scheduled for 5ay !00:.
Appendix D, page 99
TaCle *% Security 1ontrols ?continued@
1ontrol Area
In>#laceH
#lanned
! IT 1ontingency #lanning ?continued@
!.! IT 'isaster
Reco(ery
#lanning
In $lace 1. A 'isaster Reco(ery #lan ?'R#@ for the BFS has Ceen documented
I a$$ro(ed Cy the BFA 1ommissioner. This $lan calls for reco(ery
of the BFS -ithin "! hours at a cold site maintained Cy -ith 'ata
Reco(ery Ser(ices+ Inc. ?'RSI@ through a contract -ith 'RSI. In
order to su$$ort !9>hour reco(ery of BFS during Cudget
$re$aration+ the contract -ith 'RSI includes !9>hour reco(ery
during this $eriod.
!. Both "!> I !9>hour reco(ery of the BFS -ere tested during the BFA
1&&# exercise on 5ay 1:>!0+ !00"+ including access to the
reco(ered BFS Cy users at other 1&V Agencies. 5emCers of the
BFS 'isaster Reco(ery Team recei(ed training on their
res$onsiCilities in ad(ance of the exercise.
#lanned 1. The BFS 'R# is currently Ceing u$dated as a result of the reco(ery
during the BFA 1&&# exerciseE com$letion is ex$ected Cy
Se$temCer 1+ !00".
!. Reco(ery of the BFS -ill next Ce tested during the BFA 1&&#
exercise scheduled for 5ay !00:.
!.) IT System I
'ata Backu$ I
Restoration
In $lace 1. A Backu$ I Restoration #lan for the BFS has Ceen documented+ I
a$$ro(ed Cy ohn ames+ the BFS System &-ner. This $lan calls
for%
a. =eekly full I daily incremental Cacku$s I re(ie- of Cacku$
logs of BFS data Cy o$erations staffE
C. =eekly $icku$ I trans$ort of BFS Cacku$ ta$es to 'RSI Cy
'RSI $ersonnelE I
c. Restoration of BFS data either at BFA or at 'RSI only -ith the
ex$ress -ritten a$$ro(al of ohn ames+ the BFS System
&-ner or his designee.
) IT Systems Security
).1 IT System
6ardening
In $lace 1. BFS o$erations staff has identified I documented the Solaris " I
&racle ,i Cenchmarks from the 1enter for Internet Security ?1IS@ as
a$$ro$riate hardening le(els for the BFS. ohn ames+ the BFS
System &-ner+ has a$$ro(ed this recommendation in -riting.
These Cenchmarks -ere most recently a$$lied to BFS in 5ay !00"+
I the a$$lication -as documented in the BFS 1hange 0og.
!. BFS o$erations staff most recently re(ie-ed these Cenchmarks on
une "+ !00"+ I determined that they continue to $ro(ide an
a$$ro$riate hardening le(el for the BFS. Benchmarks are
rea$$lied -hene(er the o$erating system or a$$lication soft-are is
changed.
#lanned ). #SI+ the BFA Cusiness $artner that o$erates the BFA technology
en(ironment+ has engaged 1yCerscan+ Inc. to conduct a full
(ulneraCility scan of the BFA technology en(ironment. This scan is
scheduled for August !00".
9. Based on the results of the (ulneraCility scan+ BFS o$erations staff
-ill determine -hether the 1IS Cenchmarks continue to $ro(ide
a$$ro$riate $rotection for the BFS.
Appendix D, page 94
1ontrol Area
In>#laceH
#lanned
) IT Systems Security ?continued@
).! IT Systems
Intero$eraCility
Security
In $lace 1. The BFS recei(es data only from the B1SE it does not transmit data
to any other IT system. This data sharing is documented in
Section !.! of this Risk Assessment+ I in the B1S Risk
Assessment. ohn ames is System &-ner of Coth B1S I BFSE
therefore no -ritten data sharing agreement is reAuired. Security
of net-ork access is co(ered Cy a documented intero$eraCility
security agreement Cet-een ohn ames+ BFS System &-ner+ I
Bea RoCerts+ System &-ner of the #SI third>$arty net-ork.
).) 5alicious 1ode
#rotection
In $lace 1. BFA has t-o different anti>(irus soft-are $roducts installed on its
deskto$ I la$to$ com$uters I on its e>mail ser(ers. This
soft-are%
a. *liminates or Auarantines all malicious $rograms that it detects
I $ro(ides an alert to the user u$on detectionE
C. Runs automatically on $o-er>on I runs -eekly full scans on
memory I storage de(icesE
c. Automatically scans all files retrie(ed from all sourcesE
d. Allo-s only system administrators to modify its configurationE
I
e. 5aintains a log of $rotection acti(itiesE
f. *liminates or Auarantines malicious $rograms in e>mail
messages I file attachments as they attem$t to enter the
AgencyGs e>mail system.
!. Both deskto$Hla$to$ I e>mail anti>(irus soft-are are configured for
automatic do-nload of definition files -hene(er ne- files Cecome
a(ailaCle.
#lanned ). The BFA Acce$taCle 3se #olicy+ under de(elo$ment+ -ill $rohiCit
BFA users from intentionally de(elo$ing or ex$erimenting -ith
malicious $rograms I kno-ingly $ro$agating malicious $rograms
including o$ening attachments from unkno-n sources. This
$olicy is scheduled for com$letion in August !00".
).9 IT Systems
'e(elo$ment
0ife 1ycle
Security
In $lace 1. The BFS is in the Im$lementation $hase of its life cycle. As
documented throughout this Risk Assessment re$ort+ BFA
conducts I documents a formal Risk Assessment of the BFS e(ery
three years. In addition the BFS com$lies -ith all other Risk
5anagement reAuirements of the 1&V IT Security Standard.
Appendix D, page 9=
1ontrol Area
In>#laceH
#lanned
9 0ogical Access 1ontrol
9.1 Account
5anagement
In $lace 'ocumented BFA I BFS $olicies reAuire%
1. <ranting access to IT system users Cased on the $rinci$le of least
$ri(ilege. In the case of BFS+ ho-e(er+ enforcement of least
$ri(ilege is accom$lished Cy granting ad>hoc access rights to BFS+
rather than granting access Cased on $redefined roles.
!. A$$ro(al Cy ohn ames+ BFS System &-ner I a $ros$ecti(e BFS
userGs su$er(isor Cefore granting access to BFSE these $olicies
are enforced.
). #ros$ecti(e BFS users to recei(e a BFA>reAuired criminal
Cackground check Cefore recei(ing access to BFSE these $olicies
are enforced.
9. The use of $ass-ords on all BFS accounts+ I that these
$ass-ords ex$ire e(ery ,0 days+ at a minimum. These $olicies are
not enforced on BFS+ ho-e(er+ as $ass-ords are not set to ex$ire
I $ass-ord changes are not enforced.
.. Annual re(ie- of all BFS accounts to assess the continued need
for the accounts I access le(el. These $olicies also reAuire
automatic locking of accounts if not used for )0 days+ disaCling of
unneeded accounts+ retention of account information for ! years in
accordance -ith BFA records retention $olicy+ I notification of
su$er(isors+ 6uman Resources+ I the System Administrator aCout
changes in the need for BFS accounts. These $olicies are not
enforced on BFS+ ho-e(er+ I BFS user accounts are not remo(ed
-hen the access is no longer reAuired.
/. #rohiCit the use of grou$ accounts I shared $ass-ords. These
$olicies are not enforced on BFS+ ho-e(er+ as accounts such as
Kguest+L Ktest+L I KshareL exist in the BFS user dataCase.
". ohn ames to a$$ro(e access changes to BFS accounts+ I for
ohn ames I the BFS o$erations I su$$ort team to in(estigate
unusual account access. These $olicies are enforced.
9.! #ass-ord
5anagement
1. The use of $ass-ords on sensiti(e systems such as BFSE these
$olicies are enforced on BFS. These $olicies also reAuire that+ at a
minimum+ $ass-ords Ce no less than eight characters long I
contain Coth letters I numCersE =indo-s Acti(e 'irectory is
configured to reAuire this length I com$lexity for BFS $ass-ords.
!. *ncry$tion of $ass-ords during transmissionE $ass-ord
encry$tion+ ho-e(er+ is not correctly configured for BFS I BFS
$ass-ords are transmitted in clear text.
). 3sers to maintain exclusi(e control of their $ass-ords+ to allo-
users to change their $ass-ords at -ill+ I to change a $ass-ord
immediately I notify the IS& if the $ass-ord is com$romisedE
these $olicies are enforced.
9. BFS users to change $ass-ords e(ery ,0 days at a minimumE as
noted aCo(e+ ho-e(er+ these $olicies are not enforced -ith res$ect
to BFS.
.. The use of $ass-ord history files to $resent $ass-ord re>useE
these $olicies are enforced on BFS I BFS retains the $re(ious !90
$ass-ords for each user to $re(ent their re>use.
Appendix D, page 9&
1ontrol Area
In>#laceH
#lanned
9 0ogical Access 1ontrol ?continued@
9.! #ass-ord
5anagement
?continued@
". 3se of a $rocedure for deli(ery of the initial BFS $ass-ord in
$erson from the BFS su$$ort team in a sealed en(elo$e. The
$ass-ord is ex$ired+ I the user is forced to change the $ass-ord
u$on first login. Forgotten initial $ass-ords are re$laced Cy the
BFS su$$ort team I not re>issued.
:. #rohiCit the use of grou$ accounts I shared $ass-ords. These
$olicies are not enforced on BFS+ ho-e(er+ as accounts such as
Kguest+L Ktest+L I KshareL exist in the BFS user dataCase.
,. #rohiCit the inclusion of $ass-ords as $lain text in scri$ts. These
$olicies are not enforced on BFS+ ho-e(er+ as $ass-ords are
included in scri$ts I initialiDation files.
10. 0imit access to files containing BFS $ass-ords to the BFS
su$$ort team. These $olicies are enforced.
11. Su$$ression of $ass-ords on the screen as they are entered.
These $olicies are enforced.
1!. 5emCers of the BFS su$$ort team to ha(e Coth an administrati(e
I user account I use the administrati(e account only -hen
$erforming tasks that reAuire administrati(e $ri(ileges. These
$olicies are enforced.
1). At least t-o memCers of the BFS su$$ort team to ha(e BFS
administrati(e account.
9.) Remote Access In $lace 1. Based on the sensiti(ity of BFS data+ documented BFA I BFS
$olicies reAuire that remote access to BFS not Ce $ermitted from
outside the #SI>$ro(ided third>$arty net-ork. Remote &S
authentication+ ho-e(er+ is enaCled in the BFS a$$lication+ e(en
though no user accounts are configured to allo- this access.
#lanned !. To enaCle alternate -ork schedules+ I -ork locations+ BFA is in
the $rocess of de(elo$ing a $lan to allo- secure remote access to
BFS. This $lan is scheduled for com$letion in &ctoCer !00".
. 'ata #rotection
..1 'ata Storage
5edia
#rotection
1. Bea RoCerts+ as BFS 'ata 1ustodian+ to $ro(ide $rotection of all
sensiti(e BFS data. These reAuirements are enforced a -ritten
agreement Cet-een BFA I#artner Ser(ices+ Inc.
!. Sensiti(e BFS data not to Ce stored on moCile data storage media
through BFA $olicy that $rohiCits local storage of BFS data. This
$olicy is not enforced+ ho-e(er+ as sensiti(e BFS data is stored
on 3SB dri(es.
). &nly authoriDed 'RSI $ersonnel to $icku$+ recei(e+ transfer+ I
deli(er BFS ta$es. This $olicy is enforced.
9. BFS administrators I users to follo- the ITR5 Remo(al of
1ommon-ealth 'ata from Sur$lus 1om$uter 6ard 'ri(es I
*lectronic 5edia Standard ?ITR5 Standard S*1!00)>0!.1@ -hen
dis$osing of BFS data storage media that are no longer needed.
This $olicy is enforced.
.. BFS users to recei(e training on the $ro$er $rocedure for
dis$osal of data storage media containing sensiti(e data as $art
of the BFA IT Security A-areness I Training $rogram. This $olicy
is enforced.
Appendix D, page 96
. 'ata #rotection ?continued@
..! *ncry$tion In $lace BFS uses encry$tion (ia%
1. The secure shell ?ssh@ I secure co$y ?sc$@ $rotocols+ -hich are in
-ide commercial use. This use is documented in BFS design
documents.
!. The 1R'S8 hard disk encry$tion $roduct+ as documented in BFA
I BFS $olicies.
). *ncry$tion of $ass-ords during transmission. As noted aCo(e+
ho-e(er+ this feature is incorrectly configured for BFSE BFS
$ass-ords are transmitted in clear text.
#lanned 9. BFA is currently documenting Agency $olicies+ standards+ I
$rocedures for encry$tion technologies. 1om$letion of this
documentation is $lanned Cy &ctoCer 1+ !00".
/ Facilities Security
/.1 Facilities
Security
In $lace 1. The BFS is housed in the BFA 'ata 1enter -ith access controlled
(ia a Secure card>key access system+ administered Cy the BFA
IR5 staff+ -hich $ermits monitoring+ logging+ I auditing of all
access to the BFA 'ata 1enter. ane ones+ BFA IS& a$$ro(es all
reAuests for BFA 'ata 1enter Access reAuests Cased on the
$rinci$le of least $ri(ilege.
!. The BFA 'ata 1enter is heated I cooled Cy a ,0>ton 6VA1 unit+
se$arate from the 6VA1 unit that heats I cools the remainder of
the facility. *lectric $o-er to the BFA 'ata 1enter is $ro(ided Cy
four RiCtell 900 8(a units connected to the commercial $o-er
su$$ly. Backu$ $o-er is $ro(ided Cy a diesel>$o-ered generator.
). Fire su$$ression in the BFA 'ata 1enter is $ro(ided Cy a -et>$i$e
s$rinkler system. BFA is a-are that this fire su$$ression system
$oses a risk of significant -ater damage to eAui$ment in the data
center+ including BFS. Re$lacement of the -et>$i$e s$rinkler
system+ ho-e(er+ has Ceen considered I is cost>$rohiCiti(e.
9. Access to the BFA facility at 1!) *lm St. is also $rotected Cy the
Secure card>key access system+ administered Cy the BFA IR5
staff. 1ards that $ermit access to the facility are gi(en only to BFA
em$loyees I contractors u$on su$er(isory a$$ro(al. All (isitors
are reAuired to ha(e escorts in the BFA facility.
.. Access to other areas in the BFA facility that house IT resources
is controlled (ia means of ci$her locks+ also administered Cy the
BFA IR5 staff+ -hich changes the lock ci$hers e(ery ,0 days.
ane ones+ BFA IS& a$$ro(es all reAuests for access to the lock
ci$her Cased on the rule of least $ri(ilege.
Appendix D, page 9B
" #ersonnel Security
".1 Access
'etermination I
1ontrol
In $lace 1. BFS users recei(e a BFA>reAuired finger$rint criminal
Cackground check I a credit check Cefore recei(ing access to
BFS.
!. Access to the BFA facility I the BFA 'ata 1enter that houses the
BFS is controlled Cy card>key access.
). AdeAuate se$aration of duties exists for BFS in order to guard
against the $ossiCility of fraud.
'ocumented BFA I BFS $olicies reAuire%
9. The remo(al of $hysical I logical access rights u$on transfer or
termination of staff or -hen the need for access no longer exists.
These $olicies are enforced -ith res$ect to $hysical accessE as
noted aCo(e+ they are not enforced regarding logical access to
BFS.
.. Return of Agency assets u$on transfer or termination. These
$olicies are enforced.
/. <ranting access to IT system users Cased on the $rinci$le of
least $ri(ilege. These $olicies are enforced -ith res$ect to
$hysical access. In the case of BFS+ ho-e(er+ enforcement of
least $ri(ilege is accom$lished Cy granting ad>hoc access rights
to BFS+ rather than granting access Cased on $redefined roles.
".! IT Security
A-areness I
Training
In $lace 1. ane ones+ BFA IS&+ is res$onsiCle for BFAGs IT security
a-areness I training $rogram. BFA reAuires+ through
documented $olicies I $rocedures+ that all em$loyees I
contractors com$lete an on>line IT security training $rogram on
an annual Casis. The online training $rogram+ -hich has Ceen
customiDed Cy the (endor to BFAGs s$ecifications+ Coth records
com$letion I for-ards records of com$letion to the BFA IS&.
The online training $rogram co(ers%
a. BFA $olicies for $rotecting IT systems I data+ -ith a
$articular em$hasis on sensiti(e systems I dataE
C. The conce$t of se$aration of dutiesE
c. *m$loyee res$onsiCilities in continuity of o$erations+
configuration management+ I incident detection I
re$ortingE
d. IT system user res$onsiCilities I Cest $ractices in%
1. #re(ention+ detection+ I eradication of malicious codeE
!. #ro$er dis$osal of data storage mediaE I
). #ro$er use of encry$tion $roductsE
e. Access controls+ including creating I changing $ass-ords
I the need to kee$ them confidentialE
f. BFA Remote Access $oliciesE I
g. Intellectual $ro$erty rights+ including soft-are licensing I
co$yright issues.
!. BFA em$loyees I contractors are reAuired to acce$t BFA IT
security $olicies Cy com$leting an online agreement during the
online IT security training.
). 5emCers of the BFS su$$ort team+ BFA 'R I Incident
Res$onse ?IR@ team memCers+ I IR5 staff are reAuired to
com$lete the eAui(alent of 90 contact hours or ).0 1*3s of
s$ecialiDed IT security training related to their roles+ though
documented BFA $olicy+ -hich is enforced.
9. BFA $olicy reAuires that all em$loyees I contractors com$lete
reAuired Casic IT security training -ithin t-o -eeks of Ceginning
-ork at BFAE this $olicy is enforced.
Appendix D, page 93
" #ersonnel Security ?continued@
".) Acce$taCle 3se In $lace 1. BFA has elected to use the Virginia 'e$artment of 6uman
Resource 5anagement #olicy 1.". M 3se of Internet I *lectronic
1ommunication Systems as its Acce$taCle 3se $olicy. BFA
em$loyees I contractors are reAuired to agree to this $olicy Cy
com$leting an online agreement at the conclusion of online IT
security training.
#lanned !. BFA is in the $rocess of de(elo$ing its o-n Acce$taCle 3se
$olicy. 1om$letion is ex$ected in 'ecemCer !00".
: Threat 5anagement
:.1 Threat 'etection In $lace ane ones+ BFA IS& is res$onsiCle for BFAGs threat detection
$rogram+ -hich includes the follo-ing com$onents%
1. BFA IR5 staff recei(e threat detection training annually as their
ad(anced IT security training.
!. #SI has de$loyed I monitors Intrusion 'etection Systems ?I'S@
I Intrusion #re(ention Systems ?I#S@ are in the BFA
en(ironment.
). #SI security staff maintains regular communication -ith 3S>
1*RT I other security research I coordination organiDations+
re(ie- I'S I I#S logs in real>time+ I recommend a$$ro$riate
measures to BFA.
:.! Incident
6andling
In $lace BFA has documented I enforces%
1. An Incident Res$onse Team that includes the BFA IS&+ BFA IR5
staff+ I #SI su$$ort I security staff.
!. A $rotocol to use IT Security Audits+ Risk Assessments+ I $ost>
incident re(ie- to identify a$$ro$riate measures to defend
against I res$ond to cyCer attacks.
). #roacti(e measures to $re(ent cyCer attacks in res$onse to
recommendations from the #SI security staff.
9. Internal BFA incident in(estigation+ re$orting+ I recording
$rocesses.
#SI has documented I enforces on BFAGs Cehalf%
.. #roacti(e measures to $re(ent cyCer attacks in res$onse to
recommendations from the #SI security staff.
/. Incident categoriDation I $rioritiDation criteria+ along -ith
$rocedures to res$ond to each le(el of attack.
". A re$orting $rocess for re$orting IT security incidents in
accordance -ith N!.!>/0)?F@ of the 1ode of Virginia+ including
re$orting IT security incidents only through channels that ha(e
not Ceen com$romised.
:.) Security
5onitoring I
0ogging
In $lace BFA has documented designation of #SI security staff as res$onsiCle
for%
1. 'e(elo$ment of logging ca$aCilities I re(ie- $rocedures for
BFA as a -hole+ as -ell as for the BFS.
!. *naCling logging on all BFS com$onents I retention of logs for
,0 days.
). 5onitoring BFS security logs in real time I alerts the BFS
su$$ort team I BFA IR5 staff Cy $ager -hen sus$icious acti(ity
occurs.
Appendix D, page 9A
, IT Asset 5anagement
,.1 IT Asset 1ontrol In $lace 'ocumented I enforced BFA I BFS $olicies reAuire%
1. 2o BFA IT assets to Ce remo(ed from BFA $remises+ exce$t for
la$to$ com$uters assigned to indi(idual BFA em$loyees.
!. 2o IT assets not o-ned Cy BFA to Ce connected to any BFA
system or net-ork.
). Remo(al of data from BFA IT assets $rior to dis$osal in
accordance -ith the 1&V Remo(al of 1ommon-ealth 'ata from
Sur$lus 1om$uter 6ard 'ri(es I *lectronic 5edia Standard
?ITR5 Standard S*1!00)>0!.1@.
,.! Soft-are
0icense
5anagement
In $lace 1. 'ocumented BFA $olicies reAuire the use of only BFA>a$$ro(ed
soft-are on its IT systems I reAuire annual re(ie-s of -hether
all soft-are is used in accordance -ith license reAuirements.
!. All BFS soft-are is a$$ro$riately licensed.
,.) 1onfiguration
5anagement I
1hange 1ontrol
In $lace 1. BFA has document configuration management I change control
$olicies adeAuate so that changes to the IT en(ironment do not
introduce additional IT security risk. BFA enforces these
$olicies -ith res$ect to the BFS.
Identify the security controls for each ris! identified in Table D abo+e* Associate the ris!s .ith
the rele+ant controls in a is!s(%ontrols table (Table ;), as belo.* This correlation determines
.hether controls exist that respond ade8uately to the identified ris!s* Indicate .here controls are
not in place or .here they appear not to ha+e been implemented effecti+ely* Also indicate any
factors that mitigate or exacerbate the absence of effecti+e controls*
TaCle F correlates the risks to the BFS identified in TaCle ' -ith rele(ant BFS IT security controls
documented in TaCle * and -ith other mitigating or exacerCating factors.
Appendix D, page 4'
TaCle F% Risks>1ontrols>Factors 1orrelation
Risk
2o.
Risk Summary
1orrelation of Rele(ant 1ontrols I &ther
Factors
1
Fire -ould acti(ate s$rinkler system
causing -ater damage I com$ro>
mising the a(ailaCility of BFS.
There are no controls rele(ant to this riskE
neither are there any mitigating or
exacerCating factors. BFA *xecuti(e
5anagement has acce$ted this risk.
!
3nauthoriDed use of unneeded user
I's could com$romise
confidentiality I integrity of BFS
data.
1ontrols 9.1.. and ".1.9 are in $lace for closing
unneeded and unused user accounts+ Cut are
not enforced.
A mitigating factor is that the risk de$ends on
a gaining access to the client a$$lication.
#hysical access to the Cuilding+ -orkstation
areas+ I net-ork are adeAuately $rotected.
)
3nauthoriDed access (ia ad>hoc
$ri(ileges could com$romise of
data.
1ontrols 9.1.1 and ".1./ reAuire users to
recei(e the minimum access rights needed to
$erform BoC functions. These controls are in
$lace on an ad>hoc Casis rather than Cased on
roles+ as reAuired Cy $olicy.
9
'enial of ser(ice attack (ia large
Cogus $ackets sent to $ort 1.!1
could render BFS una(ailaCle for
use.
1ontrol :.!.1 $ro(ides intrusion detection
sufficient to detect such an attack. 2o
Intrusion #re(ention System ?I#S@ is in $lace+
ho-e(er+ to $re(ent such an attack.
.
*x$loitation of un$atched
a$$lication security fla-s could
com$romise confidentiality I
1ontrol :.1.) reAuires that ad(isories I critical
$atch releases should Ce monitored. These
$rocedures are not follo-ed consistently. A
mitigating factor is that occurrence of the risk
de$ends on gaining access to the internal
Agency net-ork. A BFA fire-all $rotects the
Internet connection I a 'ata 1enter fire-all
$rotects the 'ata 1enter net-ork. In addition+
dial>in access is limited I strictly controlled.
Internal users still $ose a significant threat.
After preparing the table, enter the controls data in $xhibit ) (this data entry can be
accomplished by cutting and pasting from Table ;*
Appendix D, page 4)
TaCle F% Risks>1ontrols 1orrelation ?continued@
Risk
2o.
Risk
Analysis of Rele(ant 1ontrols I &ther
Factors
/
*x$loitation of $ass-ords in scri$t I
initialiDation files could result in
com$romise of confidentiality I
1ontrol 9.!., reAuires that clear text
$ass-ords must not exist in scri$ts or
text files on any system+ Cut is not
enforced for BFS. The use of clear text
$ass-ords is an inherent -eakness in the
client soft-are+ I there is no fix according
to the (endor. #hysical $rotections are in
$lace to limit access to the Cuilding I
user -orkstation areas+ I technical
controls are in $lace to limit access to
user -orkstations to those indi(iduals
-ho ha(e Ceen granted $ermission to
logon to Agency systems.
"
1om$romise of unex$iredHunchanged
$ass-ords could result in com$romise
of confidentiality I integrity of BFS
data.
1ontrols 9.1.9 and 9.!.9 reAuire regular
$ass-ord changes+ Cut are not enforced
for BFS. Su$$ort for reAuired $ass-ord
changes is Cuilt into the soft-are Cut ha(e
not Ceen enaCled.
:
3se of generic BFS accounts could
result in com$romise of confidentiality
I integrity of sensiti(e BFS data.
1ontrols 9.1./ and 9.!.: reAuire that
shared accounts such as these not Ce
used Cut ha(e not enforced for BFS.
,
Remote access is not currently used
Cy BFSE enaCling this access -hen not
necessary could result in com$romise
of confidentiality I integrity of
sensiti(e BFS data.
1ontrol 9.).1 $rohiCits access to BFS
from outside the #SI third>$arty net-orkE
enaCling remote access in the soft-are
(iolates this control. A mitigating factor
is that only authoriDed users could
access the a$$lication. This mitigating
effect of this factor is reduced Cy the
unused accounts that continue to exist
on BFS.
10
3nencry$ted $ass-ords could Ce
com$romised+ resulting in
integrity of sensiti(e BFS data.
1ontrols 9.!., and 9...) reAuire
encry$tion of $ass-ords+ Cut ha(e not
Ceen enforced for BFS. #hysical security
$rotections are in $lace that -ould limit
the aCility to sniff the net-ork to ex$loit
this (ulneraCility.
11
0oss or theft of 3SB dri(es could result
in com$romise of confidentiality of BFS
data.
1ontrol 9.9.! $rohiCits storage of sensiti(e
BFS data on $ortaCle media such as 3SB
dri(es+ Cut has not Ceen enforced for BFS.
( RI'8 LI8ELIHOO% %ETERMINATION
The purpose of this step is to assign a li!elihood rating of high, moderate or lo. to each ris!
identified in Table D* This rating is a sub-ecti+e -udgment based on the li!elihood a +ulnerability
might be exploited by a credible threat* The follo.ing factors should be considered7
Threat(source moti+ation and capability, in the case of human threats>
2robability of the threat occurring, based on statistical data or pre+ious experience, in the
case of natural and en+ironmental threats> and
$xistence and effecti+eness of current or planned controls
. Risk 0ikelihood 'etermination
TaCle < defines the Risk 0ikelihood ratings for the BFS.
/ther factors may also be used to estimate likelihood. These include historical information,
records and information from security or"ani3ations such as 6S,7.RT and other sources. The
controls listed in Table . may be considered, $roided they ade5uately miti"ate the risk.
A"encies are stron"ly encoura"ed to use risk likelihood definitions of hi"h, moderate, and low,
as documented in Table ).
TaCle 6+ -hich Cegins on the next $age+ e(aluates the effecti(eness of controls and the
$roCaCility or moti(ation and ca$aCility of each threat to BFS and assigns a likelihood+ as
defined in TaCle <+ to each BFS risk documented in TaCle '.
Appendix D, page 49
TaCle <% Risk 0ikelihood 'efinitions
*ffecti(eness of
1ontrols
#roCaCility of Threat &ccurrence ?2atural or *n(ironmental Threats@ or
Threat 5oti(ation and 1a$aCility ?6uman Threats@
0o- 5oderate 6igh
6igh 0o- 0o- 5oderate
5oderate 0o- 5oderate 6igh
0o- 5oderate 6igh 6igh
Appendix D, page 44
TaCle 6% Risk 0ikelihood Ratings
Risk
2o.
Risk Summary Risk 0ikelihood *(aluation
Risk 0ikelihood
Rating
1
Fire -ould acti(ate
s$rinkler system
causing -ater damage
I com$romising the
a(ailaCility of BFS.
There are no controls against -ater
damage to BFS from the -et>$i$e
s$rinkler system in the e(ent of a
fire+ so the effecti(eness of controls
is lo-. The likelihood of fire in the
BFA 'ata 1enter is lo-.
5oderate
!
3nauthoriDed use of
unneeded user I's
could com$romise
confidentiality I
*ffecti(eness of controls for closing
user accounts is lo-+ as unneeded
user I's exist on BFS.
Threat source ca$aCility is also lo-
as the risk is de$endent on learning
a user I' I $ass-ord I gaining
access to the client a$$lication.
There a$$ear to Ce adeAuate
$rotections against this risk.
#hysical access to the Cuilding+
-orkstation areas+ I net-ork are
adeAuately $rotected.
5oderate
)
3nauthoriDed access
(ia ad>hoc $ri(ileges
could com$romise of
confidentiality I
*ffecti(eness of controls to limit
users to minimum access rights is
moderate. #olicies no- in $lace
enaCle these controls Cut on an ad>
hoc Casis rather than Cased on
roles+ as reAuired Cy $olicy. Threat
source ca$aCility and moti(ation is
rated moderate as only authoriDed
users could cause this risk.
5oderate
9
'enial of ser(ice
attack (ia large Cogus
$ackets sent to $ort
1.!1 could render BFS
2o controls are in $lace to $re(ent
such an attack+ so control
effecti(eness is lo-. Threat source
ca$aCility and moti(ation is rated
moderate as re-ard from attacking
BFS in this manner is limited.
5oderate
.
*x$loitation of
un$atched a$$lication
security fla-s could
com$romise
confidentiality I
*ffecti(eness of controls to reAuire
timely a$$lication of $atches to BFS
is lo- as $rocedures for a$$lying
such $atches are not follo-ed
consistently. Threat source
moti(ation and ca$aCility is rated as
lo- as occurrence of the risk
de$ends on an unauthoriDed userGs
gaining access to the internal
Agency net-ork. There is an Agency
fire-all $rotecting the Internet
connection I a 'ata 1enter fire-all
$rotecting the 'ata 1enter net-ork.
Additionally+ dial>in access is limited
I strictly controlled.
5oderate
Appendix D, page 4=
TaCle 6% Risk 0ikelihood Ratings ?continued@
Risk
2o.
Risk 0ikelihood
Rating
/
*x$loitation of
$ass-ords in scri$t I
initialiDation files
could result in
com$romise of confi>
dentiality I integrity of
BFS data.
*ffecti(eness of controls $rohiCiting
use of clear text $ass-ords in
scri$ts or text files is lo- as the use
of clear text $ass-ords is an
inherent -eakness in the client
soft-are. Threat source ca$aCility is
rated lo-+ as $hysical $rotections
are in $lace to limit access to the
Cuilding I user -orkstation areas+ I
technical controls are in $lace to
limit access to user -orkstations to
those indi(iduals -ho ha(e Ceen
granted $ermission to logon to
Agency systems.
5oderate
"
1om$romise of
unex$iredHunchanged
$ass-ords could
*ffecti(eness of controls reAuiring
regular $ass-ord changes is lo-E
these changes are not reAuired.
Threat source ca$aCility is rated lo-
as the risk de$ends on learning a
user I' I $ass-ord I gaining
access to the client a$$lication.
5oderate
:
3se of generic BFS
accounts could result
in com$romise of
confidentiality I
BFS data.
*ffecti(eness of controls that
$rohiCit shared accounts such as
these is lo-. Threat ca$aCility is
high as user I's for generic
accounts such as these are -ell>
kno-n.
6igh
,
Remote access is not
currently used Cy
BFSE enaCling this
access -hen not
necessary could result
in com$romise of
confidentiality I
BFS data.
that remote access is enaCled only
-here authoriDed and reAuired is
lo-+ as these controls ha(e not Ceen
follo-ed. Threat source ca$aCility is
moderate Cecause of the unused
accounts that exist on BFS.
6igh
10
3nencry$ted
$ass-ords could Ce
com$romised+
resulting in
com$romise of
confidentiality I
BFS data.
encry$tion of $ass-ords is lo-+ as
these controls ha(e not Ceen
follo-ed. Threat source ca$aCility is
lo- as $hysical security $rotections
are in $lace that -ould limit the
aCility to sniff the net-ork to ex$loit
this (ulneraCility.
5oderate
11
com$romise of
confidentiality of BFS
data.
*ffecti(eness of controls $rohiCiting
storage of sensiti(e data on 3SB
dri(es is lo-+ as these controls ha(e
not Ceen follo-ed. Threat source
ca$aCility is high as such 3SB
dri(es are freAuently lost or stolen.
6igh
* RI'8 IM2ACT ANAL;'I'
The purpose of this step is to assign an impact rating of high, moderate or lo. to each ris!
identified in Table D* The impact rating is determined based on the se+erity of the ad+erse
impact that .ould result from an occurrence of the ris!* Agencies are urged to assign ratings
based on the impact to the %/V as a .hole*
/ Risk Im$act Analysis
TaCle I documents the ratings used to e(aluate the im$act of BFS risks on the 1&V and BFA.
Table I pro+ides definitions of the impact ratings that agencies are strongly encouraged to use*
Include the impact ratings used in the is! Assessment eport*
8hen determinin" the im$act ratin" the followin" "oernin" factors should be considered9
The business $rocess $erformed by the IT system.
System and data sensitiity !i.e., the leel of $rotection re5uired to maintain system and
data inte"rity, confidentiality, and aailability#.
Im$act can also be based on ability to $roide serice to the $ublic. An aderse im$act mi"ht be
a loss of confidentiality, inte"rity, or aailability, or a loss of $ublic trust in 7/:. +actors to
consider are the loss or inconenience the $ublic would suffer if the risk were to occur. This
information can usually be obtained from the A"ency;s %usiness Im$act Analysis !%IA#.
Apply the impact definitions in Table ? to the ris!s identified in Table D to e+aluate the effect if
the ris! occurs*
TaCle documents the results of the im$act analysis for BFS+ including the estimated im$act
for each risk identified in TaCle ' and the im$act rating assigned to the risk.
Appendix D, page 4&
TaCle I% Risk Im$act Rating 'efinitions
5agnitude
of Im$act
Im$act 'efinition
6igh &ccurrence of the risk% ?1@ may result in human death or serious inBuryE ?!@ may
result in the loss of maBor 1&V tangiCle assets+ resources or sensiti(e dataE or
?)@ may significantly harm+ or im$ede the 1&VGs mission+ re$utation+ or interest.
5oderate &ccurrence of the risk% ?1@ may result in human inBuryE ?!@ may result in the
costly loss of 1&V tangiCle assets or resourcesE or ?)@ may (iolate+ harm+ or
im$ede the 1&VGs mission+ re$utation+ or interest.
0o- &ccurrence of the risk% ?1@ may result in the loss of some tangiCle 1&V assets
or resources or ?!@ may noticeaCly affect the 1&VGs mission+ re$utation+ or
interest.
Appendix D, page 46
TaCle % Risk Im$act Analysis
Risk
2o.
Risk Summary Risk Im$act
Risk Im$act
Rating
1
Fire -ould acti(ate s$rinkler
system causing -ater damage I
com$romising the a(ailaCility of
BFS.
BFS una(ailaCle for use. 6igh
!
3nauthoriDed use of unneeded
user I's could com$romise
data.
3nauthoriDed disclosure or
modification of BFS data.
6igh
)
3nauthoriDed access (ia ad>hoc
$ri(ileges could com$romise of
data.
6igh
9
'enial of ser(ice attack (ia large
Cogus $ackets sent to $ort 1.!1
could render BFS una(ailaCle for
use.
BFS una(ailaCle for use 6igh
.
*x$loitation of un>$atched
a$$lication security fla-s could
com$romise confidentiality I
6igh
/
*x$loitation of $ass-ords in
scri$t I initialiDation files could
result in com$romise of confi>
dentiality I integrity of BFS data.
6igh
"
1om$romise of unex$iredH
unchanged $ass-ords could
result in com$romise of confiden>
tiality I integrity of BFS data.
6igh
:
Remote access is not currently
used Cy BFSE enaCling this access
-hen not necessary could result
in com$romise of confidentiality I
6igh
,
used Cy BFSE enaCling this access
-hen not necessary could result
in com$romise of confidentiality I
6igh
10
3nencry$ted $ass-ords could Ce
com$romised+ resulting in
6igh
11
0oss or theft of 3SB dri(es could
result in com$romise of
confidentiality of BFS data.
3nauthoriDed disclosure of
BFS data.
6igh
Assign an impact rating to each ris! identified in Table D* $nter the data in $xhibit A* This data
entry can be accomplished by cutting and pasting from Table I*
This section contains the results of an im$act analysis $erformed for the BFS. To $erform this
analysis+ an im$act rating of lo-+ moderate+ or high -as assigned to each risk identified in TaCle
'. The im$act rating for each risk -as determined Cased on the se(erity of the ad(erse im$act
that -ould result from a successful ex$loitation of the (ulneraCility. The im$act ratings in this
section for each indi(idual risk -ere Cased on the systemGs mission+ and system and data
sensiti(ity. BFAGs most recent Business Im$act Analysis ?BIA@ -as re(ie-ed in determining the
ratings.
Appendix D, page 4B
> OVERALL RI'8 %ETERMINATION
The purpose of this step is to calculate an o+erall ris! rating of high, moderate or lo. for each
ris! identified in Table D* The ris! rating must be based on both the li!elihood of the ris!
occurring and on the impact to the %/V should the ris! occur*
" &(erall Risk 'etermination
The determination of risk ratin"s is somewhat sub*ectie. Their alue is in the attem$t to
5uantify, howeer sub*ectiely, the combination of likelihood and im$act of occurrence. .ach
risk ratin" is ex$ressed as the correlation of the "ien risk;s likelihood of occurrence, and the
risk<s res$ectie im$act ratin". The resultin" risk ratin"s will $lace the arious risk on a scale
!e."., 1 to 122#, thus enablin" mana"ers to rank the risks 5uantitatiely in order of seerity and
$riority.
+or exam$le9
.ach risk likelihood ratin" assi"ned in Table -, may be assi"ned a numerical alue
of 2.1 for low, 2.1 for moderate, or 1.2 for hi"h to re$resent the $robability of
occurrence !i.e., 2.1 to 1.2#.
.ach risk im$act ratin" assi"ned Table I, may be assi"ned a numerical alue of 12
for low, 12 for moderate, or 122 for hi"h to re$resent a 5uantified im$act estimate !i.e.,
12 to 122#.
7alculate the oerall risk ratin"s for each risk by multi$lyin" the numerical ratin"s
assi"ned for likelihood and im$act.
+or a thorou"h descri$tion of the risk ratin" calculation, refer to the annotated NIST SP =22,&2,
Table &,>, ?Risk Scale and Necessary Actions.@
Table F, ta!en from 1IST S2 3''(4', is an example of a ris!(rating matrix sho.ing ho. the
o+erall ris! ratings for a 4x4 matrix (i*e*, high, moderate and lo. li!elihood by lo., moderate
and high impact) are to be deri+ed* If your agency re8uires more granular ris! ratings, a larger
matrix (e*g*, =x=, 4x&) may be used*
TaCle 8 documents the criteria used in determining o(erall risk ratings for the BFS.
Appendix D, page 43
Assign a ris! rating to each ris! listed in Table D* $nter the ris! ratings in $xhibit A* This data
entry can be accomplished by cutting and pasting from Table G*
TaCle 0 assigns risk ratings from TaCle 8 to the risks identified for the BFS.
Appendix D, page 4A
TaCle 8% &(erall Risk Rating 5atrix
Risk 0ikelihood
Risk Im$act
0o-
?10@
5oderate
?.0@
6igh
?100@
6igh
?1.0@
0o-
10 x 1.0 O 10
5oderate
.0 x 1.0 O .0
6igh
100 x 1.0 O 100
5oderate
?0..@
0o-
10 x 0.. O .
5oderate
.0 x 0.. O !.
5oderate
100 x 0.. O .0
0o-
?0.1@
0o-
10 x 0.1 O 1
0o-
.0 x 0.1 O .
0o-
100 x 0.1 O 10
Risk Scale% 0o- ?1 to 10@E 5oderate ?J10 to .0@E 6igh ?J.0 to 100@
TaCle 0% &(erall Risk Ratings TaCle
Risk
2o.
Risk Summary
Risk 0ikelihood
Rating
Risk Im$act
Rating
&(erall Risk
Rating
1
Fire -ould acti(ate s$rinkler
system causing -ater damage
I com$romising the a(ailaCil>
ity of BFS.
5oderate 6igh 5oderate
!
3nauthoriDed use of unneeded
user I's could com$romise
confidentiality I integrity of
BFS data.
)
3nauthoriDed access (ia ad>
hoc $ri(ileges could
com$romise of confidentiality
I integrity of BFS data.
9
'enial of ser(ice attack (ia
large Cogus $ackets sent to
$ort 1.!1 could render BFS
.
*x$loitation of un>$atched
a$$lication security fla-s
could com$romise
BFS data.
/
*x$loitation of $ass-ords in
scri$t I initialiDation files
could result in com$romise of
BFS data.
Describe the process used in assigning o+erall ris! ratings*
This section contains the results of a risk determination $erformed for the Budget Formulation
System. A risk rating of lo-+ moderate+ or high -as assigned to each risk identified in TaCle '.
The risk rating for each indi(idual risk -as calculated using guidance $ro(ided in 2IST S# :00>)0+
TaCle )>/+ KRisk Scale and 2ecessary Actions.L
Appendix D, page ='
TaCle 0% Risk Ratings TaCle ?continued@
Risk
2o.
Risk Summary
Risk 0ikelihood
Rating
Risk Im$act
Rating
&(erall Risk
Rating
"
1om$romise of
unex$iredHunchanged
$ass-ords could result in
I integrity of BFS data.
:
3se of generic BFS accounts
sensiti(e BFS data.
6igh 6igh 6igh
,
used Cy BFSE enaCling this
access -hen not necessary
sensiti(e BFS data.
6igh 6igh 6igh
10
3nencry$ted $ass-ords could
Ce com$romised+ resulting in
I integrity of sensiti(e BFS
data.
11
0oss or theft of 3SB dri(es
confidentiality of BFS data.
6igh 6igh 6igh
? RECOMMEN%ATION'
The purpose of this step is to recommend additional actions re8uired to respond to the identified
ris!s, as appropriate to the agency0s operations* The goal of the recommended ris! response is to
reduce the residual ris! to the system and its data to an acceptable le+el* The follo.ing factors
should be considered in recommending controls and alternati+e solutions to minimi,e or
eliminate identified ris!s7
$ffecti+eness of recommended options (e*g*, system compatibility)
@egislation and regulation
/rgani,ational policy
/perational impact
Safety and reliability
: Recommendations
TaCle 5 documents recommendations for the risks identified for the BFS system.
Appendix D, page =)
TaCle 5% Recommendations
Risk
2o.
Risk Summary Risk Rating Recommendations
1
Fire -ould acti(ate
s$rinkler system
causing -ater
damage I com$ro>
mising the a(ailaCil>
ity of BFS.
5oderate 2one. Re$lacing the -et>$i$e s$rinkler
system in the BFA 'ata 1enter has Ceen
determined to Ce cost>$rohiCiti(e. BFA
executi(e management has elected to acce$t
this risk.
!
3nauthoriDed use of
unneeded user I's
could com$romise
confidentiality I
integrity of BFS
data.
5oderate The BFS su$$ort team should follo- BFA &
BFS $olicies regarding remo(al of accounts.
BFA IR5 should de(elo$ & im$lement a
$rocess to (erify that termination
$rocedures are carried out in the timeframe
s$ecified Cy BFA & BFS $olicy.
)
3nauthoriDed
access (ia ad>hoc
$ri(ileges could
com$romise of
confidentiality I
integrity of BFS
data.
5oderate BFA IR5 should de(elo$ BFS user roles &
associated $ri(ileges. &nce de(elo$ed the
BFS su$$ort team should im$lement these
roles & assign BFS $ri(ileges Cased on role.
9
'enial of ser(ice
attack (ia large
Cogus $ackets sent
to $ort 1.!1 could
render BFS
6igh BFA IR5 staff and the #SI su$$ort team
should analyDe -hether re$lacing the
existing Intrusion 'etection Systems ?I'S@
-ith an Intrusion #re(ention System is a
cost>effecti(e res$onse to this risk.
Appendix D, page =9
TaCle 5% Recommendations ?continued@
Risk
2o.
Risk Summary Risk Rating Recommendations
.
*x$loitation of
un$atched
a$$lication security
fla-s could
com$romise
confidentiality I
5oderate The BFS su$$ort team should im$lement
$rocedures for re(ie-ing I u$dating (endor>
recommended $atches so that $atches
ensure are a$$lied in a timely manner.
An automated notification $rocess should Ce
de(elo$ed to notify the a$$ro$riate
indi(iduals of critical u$dates.
/
*x$loitation of
$ass-ords in scri$t
I initialiDation files
could result in
com$romise of con>
fidentiality I
5oderate The client soft-are should Ce re-ritten so
that clear>text user I's I $ass-ords are not
used in scri$t and initialiDation files.
"
1om$romise of
unex$iredHunchange
d $ass-ords could
5oderate The BFS su$$ort team should enaCle the
functionality -ithin &racle to ex$ire
$ass-ords I reAuire changes.
:
3se of generic BFS
accounts could
BFS data.
6igh The BFS su$$ort team should remo(e all
generic accounts from BFS. BFA IR5
should monitor accounts should continue to
(erify that no ne- shared accounts are
created.
,
Remote access is
not currently used
Cy BFSE enaCling
this access -hen not
necessary could
BFS data.
6igh As an immediate ste$+ the BFS su$$ort team
should disaCle the remote &S feature. As
documented in $lanned controls+ the BFA
IR5 staff and BFS su$$ort team should -ork
to de(elo$ a secure method to allo- remote
access to BFS.
10
3nencry$ted
$ass-ords could Ce
com$romised+
resulting in
com$romise of
confidentiality I
BFS data.
5oderate The BFS su$$ort team should configure the
login encry$tion feature $ro$erly.
11
com$romise of
confidentiality of
BFS data.
6igh BFA should include the $rohiCition on
storing sensiti(e data on remo(aCle media
such as 3SB dri(es in the BFA Acce$taCle
3se $olicy+ under de(elo$ment+ and in the
BFA Security A-areness and Training
$rogram.
De+elop a list of recommendations related to the ris!s in Table D* $nter the recommendations
into $xhibit )* This data entry can be accomplished by cutting and pasting from Table "*
Appendix D, page =4
: RE'3LT' %OC3MENTATION
The final step in the ris! assessment is to complete the is! Assessment "atrix located in
$xhibit )* The data gathered in the pre+ious steps should be used to populate the matrix* /nce
the ris! assessment has been completed (threat(sources and +ulnerabilities identified, ris!s
assessed and controls assessed and recommended), the results should be documented in an
official report or management brief*
The is! Assessment "atrix located in $xhibit ) ser+es as the basis for preparing the official
report or management brief and documenting the ris! assessment results* The ris! assessment
report helps senior management, the mission o.ners, ma!es informed decisions on policy,
procedural, budget and system operational and management changes* A ris! assessment is not an
audit or in+estigation report, .hich often loo!s for .rongdoing and issues findings that can be
embarrassing to managers and system o.ners* A ris! assessment is a systematic, analytical tool
for identifying security .ea!nesses and calculating ris!* The ris! assessment report should not be
presented in an accusatory manner* It should rather be a fran! and open discussion of the
obser+ations of the ris! assessment team* Its purpose is to inform senior management of the
current threat(+ulnerability en+ironment and the ade8uacy of current and planned security
controls* The +alue of a ris! assessment is that it helps senior management to understand the
current system exposure so they can allocate resources effecti+ely and efficiently to correct
errors and reduce potential losses*
The analysis should assess the effectieness of in,$lace or $lanned controls in res$ondin" to the
identified risks to the system. 7om$liance with these controls should be ealuated on an annual
basis throu"h a security self,assessment.
/ther considerations, which are beyond the sco$e of the risk assessment but which may be
addressed in the re$ort and should be discussed in the brief, are mana"ement;s assessment and
subse5uent correctie action $lan !7AP# to address the identified weaknesses. +or each
recommendation mana"ement should9
Assi"n a $riority to the recommendationA
Assi"n res$onsibility to an indiidual or identify the de$artment that will be held
accountable for im$lementin" the recommendationA
Proide a date for initiatin" the recommendationA and
Proide a date by which time the recommendations must be fully im$lemented.
%omplete the is! Assessment "atrix in $xhibit ) (much of the re8uired data entry can be
accomplished by cutting and pasting data from the Tables de+eloped throughout the process)*
2repare an official report or management brief to explain the results of the ris! assessment and
pro+ide the rationale for the recommended security controls*
Appendix D, page ==
IT is! "anagement #uideline, Appendix $ < is! Assessment Template
Appendix $, 2age =&
*xhiCit 1% Risk Assessment 5atrix
Risk
2o.
VulneraCility Threat Risk
Risk
Summary
Risk
0ikelihood
Rating
Risk
Im$act
Rating
&(erall Risk
Rating
Analysis of Rele(ant
1ontrols and &ther
Factors
Recommendations
1
=et>$i$e
s$rinkler
system in
BFS 'ata
1enter.
Fire 1om$romise
of BFS
a(ailaCility.
Fire -ould
acti(ate
s$rinkler
system
causing -ater
damage I
com$ro>
mising the
a(ailaCility of
BFS.
5oderate 6igh 5oderate There are no controls
rele(ant to this riskE
neither are there any
mitigating or
exacerCating factors.
2one. Re$lacing the
-et>$i$e s$rinkler
system in the BFA
'ata 1enter has Ceen
determined to Ce cost>
$rohiCiti(e. BFA
executi(e
management has
elected to acce$t this
risk.
!
BFS user
identifiers
?I's@ no
longer
reAuired are
not
remo(ed
from BFS in
timely
manner.
3nauth-
oriDed
3se
1om$romise
of confiden>
tiality &
integrity of
BFS data.
3nauthoriDed
use of
unneeded
user I's
could
com$romise
confidential>
ity I integrity
of BFS data.
1ontrols 9.1.. and ".1.9
are in $lace for closing
unneeded and unused
user accounts+ Cut are
not enforced.
A mitigating factor is
that the risk de$ends on
a gaining access to the
client a$$lication.
#hysical access to the
Cuilding+ -orkstation
areas+ I net-ork are
adeAuately $rotected.
The BFS su$$ort team
should follo- BFA I
BFS $olicies
regarding remo(al of
accounts.
BFA IR5 should
de(elo$ I im$lement
a $rocess to (erify
that termination
$rocedures are
carried out in the
timeframe s$ecified
Cy BFA I BFS $olicy.
)
BFS access
$ri(ileges are
granted on an
ad>hoc Casis
rather than
$redefined
roles.
3nauthor>
iDed
Access
1om$romise
of confiden>
tiality I
integrity of
BFS data.
3nauthoriDed
access (ia ad>
hoc $ri(ileges
could
com$romise of
confidentiality
I integrity of
BFS data.
5oderate 6igh 5oderate 1ontrols 9.1.1 and ".1./
reAuire users to recei(e
the minimum access
rights needed to $erform
BoC functions. These
controls are in $lace on
an ad>hoc Casis rather
than Cased on roles+ as
reAuired Cy $olicy.
BFA IR5 should
de(elo$ BFS user roles
& associated $ri(ileges.
&nce de(elo$ed the
BFS su$$ort team
should im$lement these
roles & assign BFS
$ri(ileges Cased on
role.
Appendix $, 2age =6
*xhiCit 1% Risk Assessment 5atrix ?continued@
Risk
2o.
Risk
Summary
Risk
0ikelihood
Rating
Risk
Im$act
Rating
&(erall Risk
Rating
1ontrols and &ther
Factors
Recommendations
9
Bogus T1#
$ackets ?J
.0000 Cytes@
directed at
$ort 1.!1 -ill
cause BFS to
sto$
res$onding.
5alici>
ous 3se
1om>
$uter
1rime
1om$romise
of BFS
a(ailaCility.
'enial of
ser(ice attack
(ia large Cogus
$ackets sent to
$ort 1.!1 could
render BFS
una(ailaCle for
use.
5oderate 6igh 5oderate 1ontrol :.!.1 $ro(ides
intrusion detection
sufficient to detect such
an attack. 2o Intrusion
#re(ention System ?I#S@
is in $lace to $re(ent
such an attack+ ho-e(er.
BFA IR5 staff and the
#SI su$$ort team
should analyDe -hether
re$lacing the existing
Intrusion 'etection
Systems ?I'S@ -ith an
Intrusion #re(ention
System is a cost>
effecti(e res$onse to
this risk.
.
2e- $atches
exist to
correct fla-s
in a$$lication
security
design ha(e
not Ceen
a$$lied.
5alici>
ous 3se
1om$>
uter
1rime
1om$romise
of confiden>
tiality I
integrity of
BFS data.
*x$loitation of
un>$atched
a$$lication
security fla-s
could
com$romise
confidentiality
I integrity of
BFS data.
5oderate 6igh 5oderate 1ontrol :.1.) reAuires that
ad(isories I critical $atch
releases should Ce
monitored. These
$rocedures are not
follo-ed consistently. A
mitigating factor to
consider is that
occurrence of the risk
de$ends on an
unauthoriDed userGs
gaining access to the
internal Agency net-ork.
There is an Agency
fire-all $rotecting the
Internet connection I a
'ata 1enter fire-all
$rotecting the 'ata
1enter net-ork. In
addition+ dial>in access is
limited I strictly
controlled. Internal users
still $ose a significant
threat.
should im$lement
$rocedures for
re(ie-ing I u$dating
(endor>recommended
$atches so that
$atches ensure are
a$$lied in a timely
manner.
An automated
notification $rocess
should Ce de(elo$ed to
notify the a$$ro$riate
indi(iduals of critical
u$dates.
Appendix $, 2age =B
Risk
2o.
Risk
Summary
Risk
0ikelihood
Rating
Risk
Im$act
Rating
&(erall Risk
Rating
1ontrols and &ther
Factors
Recommendations
/
3ser names
I $ass-ords
are in scri$ts
I initialiDa>
tion files.
5alici>
ous 3se
1om$u>
ter
1rime
1om$romise
of confiden>
tiality I
integrity of
BFS data.
*x$loitation of
$ass-ords in
scri$t I
initialiDation
files could
result in
com$romise
of confiden>
tiality I
integrity of
BFS data.
1ontrol 9.!., reAuires that
clear text $ass-ords
must not exist in scri$ts
or text files on any
system+ Cut is not
enforced for BFS. The
use of clear text
$ass-ords is an inherent
-eakness in the client
soft-are+ I there is no fix
according to the (endor.
#hysical $rotections are
in $lace to limit access to
the Cuilding I user
-orkstation areas+ I
technical controls are in
$lace to limit access to
user -orkstations to
those indi(iduals -ho
ha(e Ceen granted
$ermission to logon to
Agency systems.
The client soft-are
should Ce re-ritten so
that clear>text user I's
I $ass-ords are not
used in scri$t and
initialiDation files.
"
#ass-ords
are not set to
ex$ireE
regular
$ass-ord
changes are
not enforced.
5alici>
ous 3se
1om$u>
ter
1rime
1om$romise
of confiden>
tiality I
integrity of
BFS data.
1om$romise
of unex$iredH
unchanged
$ass-ords
could result in
com$romise
of confiden>
tiality I
integrity of
BFS data.
1ontrols 9.1.9 and 9.!.9
reAuire regular $ass-ord
changes+ Cut are not
enforced for BFS.
Su$$ort for reAuired
$ass-ord changes is
Cuilt into the soft-are Cut
ha(e not Ceen enaCled.
should enaCle the
functionality -ithin
&racle to ex$ire
$ass-ords I reAuire
changes.
:
K<enericL
accounts
found in the
dataCase
?e.g.+ test+
share+ guest@.
5alici>
ous 3se
1om$u>
ter
1rime
1om$romise
of confiden>
tiality I
integrity of
BFS data.
3se of generic
BFS accounts
could result in
com$romise of
confidentiality
I integrity of
sensiti(e BFS
data.
6igh 6igh 6igh 1ontrols 9.1./ and 9.!.:
reAuire that shared
accounts such as these
not Ce used Cut ha(e not
enforced for BFS.
should remo(e all
generic accounts from
BFS. BFA IR5 should
monitor accounts
should continue to
(erify that no ne-
shared accounts are
created.
Appendix $, 2age =3
Risk
2o.
Risk
Summary
Risk
0ikelihood
Rating
Risk
Im$act
Rating
&(erall Risk
Rating
1ontrols and &ther
Factors
Recommendations
,
Remote &S
authentica>
tion is
enaCled Cut
not used.
5alici>
ous 3se
1om$u>
ter
1rime
1om$romise
of confiden>
tiality I
integrity of
BFS data.
Remote access
is not currently
used Cy BFSE
enaCling this
access -hen
not necessary
could result in
com$romise of
confidentiality
I integrity of
sensiti(e BFS
data.
6igh 6igh 6igh 1ontrol 9.).1 $rohiCits
access to BFS from
outside the #SI third>
$arty net-orkE enaCling
remote access in the
soft-are (iolates this
control. A mitigating
factor is that only
authoriDed users could
access the a$$lication.
This mitigating effect of
this factor is reduced Cy
the unused accounts that
continue to exist on BFS.
As an immediate ste$+
the BFS su$$ort team
should disaCle the
remote &S feature. As
documented in $lanned
controls+ the BFA IR5
staff and BFS su$$ort
team should -ork to
de(elo$ a secure
method to allo- remote
access to BFS.
10
0ogin
encry$tion
setting is not
$ro$erly
configured.
5alici>
ous 3se
1om$u>
ter
1rime
1om$romise
of confiden>
tiality I
integrity of
BFS data.
3nencry$ted
$ass-ords
could Ce
com$romised+
resulting in
com$romise of
confidentiality
I integrity of
sensiti(e BFS
data.
5oderate 6igh 5oderate 1ontrols 9.!., and 9...)
reAuire encry$tion of
$ass-ords+ Cut ha(e not
Ceen enforced for BFS.
#hysical security
$rotections are in $lace
that -ould limit the aCility
to sniff the net-ork to
ex$loit this (ulneraCility.
should configure the
login encry$tion feature
$ro$erly.
11
Sensiti(e BFS
data is stored
on 3SB
dri(es
5alici>
ous 3se
1om$u>
ter
1rime
1om$romise
of confiden>
tiality of BFS
data.
0oss or theft of
3SB dri(es
could result in
com$romise of
confidentiality
of BFS data.
6igh 6igh 6igh
1ontrol 9.9.! $rohiCits
storage of sensiti(e BFS
data on $ortaCle media
such as 3SB dri(es+ Cut
has not Ceen enforced for
BFS.
BFA should include the
$rohiCition on storing
sensiti(e data on
remo(aCle media such
as 3SB dri(es in the
BFA Acce$taCle 3se
$olicy+ under
de(elo$ment+ and in the
BFA Security
A-areness and Training
$rogram.
RI'8 A''E''MENT RE2ORT TEM2LATE
Information Technology Ris! Assessment
For
Appendix $, 2age =A
is! Assessment eport
Risk Assessment Annual Document Review History
The Risk Assessment is revieed! at least annually! and the date and revieer recorded on the
table belo"
Revie #ate Revieer
i
TA1LE OF CONTENT'
*
, INTRO%3CTION66666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666>
/ IT ';'TEM CHARACTERI<ATION6666666666666666666666666666666666666666666666666666666666666666666666666:
= RI'8 I%ENTIFICATION66666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666,9
9 CONTROL ANAL;'I'66666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666/)
( RI'8 LI8ELIHOO% %ETERMINATION666666666666666666666666666666666666666666666666666666666666666=/
* RI'8 IM2ACT ANAL;'I'6666666666666666666666666666666666666666666666666666666666666666666666666666666666666666=(
> OVERALL RI'8 %ETERMINATION6666666666666666666666666666666666666666666666666666666666666666666666=?
? RECOMMEN%ATION'66666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666669,
: RE'3LT' %OC3MENTATION6666666666666666666666666666666666666666666666666666666666666666666666666666666699
I%ENTIFICATION OF V3LNERA1ILITIE'6666666666666666666666666666666666666666666666666666666666666(
I%ENTIFICATION OF THREAT'66666666666666666666666666666666666666666666666666666666666666666666666666666666(
I%ENTIFICATION OF RI'8'6666666666666666666666666666666666666666666666666666666666666666666666666666666666666666(
,*
LI'T OF E7HI1IT'
LI'T OF FIG3RE'
FIG3RE , & IT ';'TEM 1O3N%AR; %IAGRAM66666666666666666666666666666666666666666666666666669
FIG3RE / & INFORMATION FLOW %IAGRAM66666666666666666666666666666666666666666666666666666669
ii
LI'T OF TA1LE'
TA1LE A. RI'8 CLA''IFICATION'6666666666666666666666666666666666666666666666666666666666666666666666666,
TA1LE 1. IT ';'TEM INVENTOR; AN% %EFINITION 66666666666666666666666666666666666666/
TA1LE C. THREAT' I%ENTIFIE%66666666666666666666666666666666666666666666666666666666666666666666666666666(
TA1LE %. V3LNERA1ILITIE'4 THREAT'4 AN% RI'8'666666666666666666666666666666666666666*
TA1LE E. 'EC3RIT; CONTROL'66666666666666666666666666666666666666666666666666666666666666666666666666666>
TA1LE F. RI'8'+CONTROL'+FACTOR' CORRELATION66666666666666666666666666666666666:
TA1LE G. RI'8 LI8ELIHOO% %EFINITION'666666666666666666666666666666666666666666666666666666,)
TA1LE H. RI'8 LI8ELIHOO% RATING'66666666666666666666666666666666666666666666666666666666666666,)
TA1LE I. RI'8 IM2ACT RATING %EFINITION'66666666666666666666666666666666666666666666666666,/
TA1LE @. RI'8 IM2ACT ANAL;'I'66666666666666666666666666666666666666666666666666666666666666666666666,/
TA1LE 8. OVERALL RI'8 RATING MATRI766666666666666666666666666666666666666666666666666666,9
TA1LE L. OVERALL RI'8 RATING' TA1LE6666666666666666666666666666666666666666666666666666666,9
TA1LE M. RECOMMEN%ATION'666666666666666666666666666666666666666666666666666666666666666666666666666,*
iii
, INTRO%3CTION
is! assessment participants7
2articipant roles in the ris! assessment in relation assigned agency responsibilities7
is! assessment techni8ues used7
TaCle A% Risk 1lassifications
Risk 0e(el Risk 'escri$tion I 2ecessary Actions
6igh The loss of confidentiality+ integrity+ or a(ailaCility could Ce ex$ected to ha(e a
se(ere or catastro$hic ad(erse effect on organiDational o$erations+
organiDational assets or indi(iduals.
5oderate The loss of confidentiality+ integrity+ or a(ailaCility could Ce ex$ected to ha(e a
serious ad(erse effect on organiDational o$erations+ organiDational assets or
indi(iduals.
0o- The loss of confidentiality+ integrity+ or a(ailaCility could Ce ex$ected to ha(e a
limited ad(erse effect on organiDational o$erations+ organiDational assets or
indi(iduals.
/ IT ';'TEM CHARACTERI<ATION
TaCle B% IT System In(entory and 'efinition
IT System Inventory and Definition Document
I. IT System Identification and Ownership
IT System ID IT System
Common ame
Owned By
!hysica"
Location
#a$or Business
Function
System Owner
!hone um%er
System Administrator&s'
!hone um%er
Data Owner&s'
!hone
um%er&s'
Data Custodian&s'
!hone um%er&s'
Other (e"evant
Information
II. IT System Boundary and Components
IT System
Description and
Components
IT System
Interfaces
IT System
Boundary
III. IT System Interconnections &add additiona" "ines0 as needed'
A)ency or
Or)ani*ation
IT System
ame
IT System
ID
IT System Owner Interconnection Security
A)reement Status
I+. IT System and Data Sensitivity &add additiona" "ines0 as needed'
Type of Data Sensitivity (atin)s
Inc"ude (ationa"e for each (atin)
Confidentia"ity Inte)rity Avai"a%i"ity
Overa"" IT
System
Sensitivity
(atin) and
Overa"" IT System Sensitivity (atin)
Must be high if sensitivity of any data type is rated high on any criterion
,I-, #ODE(ATE LO.
IT System C"assification
Must be Sensitive if overall sensitivity is high; consider as Sensitive if overall
C"assification sensitivity is moderate
SESITI+E O/SESITI+E
Description or diagram of the system and net.or! architecture, including all components
of the system and communications lin!s connecting the components of the system,
associated data communications and net.or!s7
Figure 1 IT System Boundary Diagram
Description or a diagram depicting the flo. of information to and from the IT system,
including inputs and outputs to the IT system and any other interfaces that exist to the
system7
Figure 2 Information Flow Diagram
= RI'8 I%ENTIFICATION
I"entification of VlneraAilities
Vulnerabilities .ere identified by7
I"entification of Threats
Threats .ere identified by7
The threats identified are listed in Table %*
TaCle 1% Threats Identified
I"entification of Ris!s
is!s .ere identified by7
The .ay +ulnerabilities combine .ith credible threats to create ris!s is identified Table D*
TaCle '% VulneraCilities+ Threats+ and Risks
Risk
2o.
Risk of
1om$romise of
Risk Summary
,
/
=
9
(
*
>
?
:
,)
,,
,/
,=
,9
,(
,*
,>
,?
,:
/)
/,
//
/=
/9
/(
9 CONTROL ANAL;'I'
Table $ documents the IT security controls in place and planned for the IT system*
TaCle *% Security 1ontrols
1ontrol Area
In>#laceH
#lanned
1 Risk 5anagement
1.1 IT Security
Roles I
Res$onsiCilities
1.! Business Im$act
Analysis
1.) IT System I
'ata Sensiti(ity
1lassification
1.9 IT System
In(entory I
'efinition
1.. Risk
Assessment
1./ IT Security
Audits
! IT 1ontingency #lanning
!.1 1ontinuity of
&$erations
#lanning
!.! IT 'isaster
Reco(ery
#lanning
!.) IT System I
'ata Backu$ I
Restoration
) IT Systems Security
).1 IT System
6ardening
).! IT Systems
Intero$eraCility
Security
).) 5alicious 1ode
#rotection
).9 IT Systems
'e(elo$ment
0ife 1ycle
Security
9 0ogical Access 1ontrol
1ontrol Area
In>#laceH
#lanned
9.1 Account
5anagement
9.! #ass-ord
5anagement
9.) Remote Access
. 'ata #rotection
9.9 'ata Storage
5edia
#rotection
9.. *ncry$tion
/ Facilities Security
/.1 Facilities
Security
" #ersonnel Security
".1 Access
'etermination I
1ontrol
".! IT Security
A-areness I
Training
".) Acce$taCle 3se
: Threat 5anagement
:.1 Threat 'etection
:.! Incident
6andling
:.) Security
5onitoring I
0ogging
, IT Asset 5anagement
,.1 IT Asset 1ontrol
,.! Soft-are
0icense
5anagement
,.) 1onfiguration
5anagement I
1hange 1ontrol
Table $ correlates the ris!s identified in Table % .ith rele+ant IT security controls
documented in Table D and .ith other mitigating or exacerbating factors*
TaCle F% Risks>1ontrols>Factors 1orrelation
Risk
2o.
Risk Summary
1orrelation of Rele(ant 1ontrols I &ther
Factors
,
1
2
3
4
5
6
7
8
9:
99
91
92
93
94
95
96
97
98
1:
19
11
12
13
14
( RI'8 LI8ELIHOO% %ETERMINATION
Table # defines the ris! li!elihood ratings*
TaCle <% Risk 0ikelihood 'efinitions
*ffecti(eness of
1ontrols
#roCaCility of Threat &ccurrence ?2atural or *n(ironmental Threats@ or
Threat 5oti(ation and 1a$aCility ?6uman Threats@
0o- 5oderate 6igh
0o-
5oderate 6igh 6igh
5oderate
0o- 5oderate 6igh
6igh
0o- 0o- 5oderate
Table #, e+aluates the effecti+eness of controls and the probability or moti+ation and
capability of each threat to :;S and assigns li!elihood, as defined in Table ;, to each ris!
documented in Table %*
TaCle 6% Risk 0ikelihood Ratings
Risk
2o.
Risk 0ikelihood
Rating
,
1
2
3
4
5
6
7
8
9:
99
91
92
Risk
2o.
Risk 0ikelihood
Rating
93
94
95
96
97
98
1:
19
11
12
13
14
* IM2ACT ANAL;'I'
Table I documents the ratings used to e+aluate the impact of ris!s*
TaCle I% Risk Im$act Rating 'efinitions
5agnitude
of Im$act
Im$act 'efinition
6igh &ccurrence of the risk% ?1@ may result in human death or serious inBuryE ?!@ may
result in the loss of maBor 1&V tangiCle assets+ resources or sensiti(e dataE or
?)@ may significantly harm+ or im$ede the 1&VGs mission+ re$utation+ or interest.
5oderate &ccurrence of the risk% ?1@ may result in human inBuryE ?!@ may result in the
costly loss of 1&V tangiCle assets or resourcesE or ?)@ may (iolate+ harm+ or
im$ede the 1&VGs mission+ re$utation+ or interest.
0o- &ccurrence of the risk% ?1@ may result in the loss of some tangiCle 1&V assets
or resources or ?!@ may noticeaCly affect the 1&VGs mission+ re$utation+ or
interest.
Table F documents the results of the impact analysis, including the estimated impact for each
ris! identified in Table D and the impact rating assigned to the ris!*
TaCle % Risk Im$act Analysis
Risk
2o.
Risk Im$act
Rating
,
/
=
9
(
*
>
?
:
,)
,,
,/
,=
,9
,(
,*
Risk
2o.
Risk Im$act
Rating
,>
,?
,:
/)
/,
//
/=
/9
/(
Description of process used in determining impact ratings7
7 RI'8 %ETERMINATION
Table K documents the criteria used in determining overall ris ratings!
TaCle 8% &(erall Risk Rating 5atrix
Risk 0ikelihood
Risk Im$act
0o-
?10@
5oderate
?.0@
6igh
?100@
6igh
?1.0@
0o-
10 x 1.0 O 10
5oderate
.0 x 1.0 O .0
6igh
100 x 1.0 O 100
5oderate
?0..@
0o-
10 x 0.. O .
5oderate
.0 x 0.. O !.
5oderate
100 x 0.. O .0
0o-
?0.1@
0o-
10 x 0.1 O 1
0o-
.0 x 0.1 O .
0o-
100 x 0.1 O 10
Risk Scale% 0o- ?1 to 10@E 5oderate ?J10 to .0@E 6igh ?J.0 to 100@
Table " assigns an overall ris rating# as defined in Ta$le K# to each of the
riss documented in Ta$le D!
TaCle 0% &(erall Risk Ratings TaCle
Risk
2o.
Risk Summary
Risk 0ikelihood
Rating
Risk Im$act
Rating
&(erall Risk
Rating
,
/
=
9
(
*
>
?
:
,)
,,
,/
,=
,9
,(
,*
,>
,?
Risk
2o.
Risk Summary
Risk 0ikelihood
Rating
Risk Im$act
Rating
&(erall Risk
Rating
,:
/)
/,
//
/=
/9
/(
Description of process used in determining o+erall ris! ratings7
% RECOMMEN%ATION'
Table " documents recommendations for the ris!s identified in Table D*
TaCle 5% Recommendations
Risk
2o.
Risk Risk Rating Recommendations
,
/
=
9
(
*
>
?
:
,)
,,
,/
,=
,9
,(
,*
,>
,?
,:
/)
/,
//
/=
/9
/(
$T Risk Management %uideline! Appendi& ' ( Risk Assessment Template
: RE'3LT' %OC3MENTATION
E$hiAit ,. Ris! Assessment Matri$
Risk
2o.
Risk
Summary
Risk
0ikelihood
Rating
Risk Im$act
Rating
&(erall Risk
Rating
1ontrols and &ther
Factors
Recommendations
,
/
=
9
(
*
>
?
:
,)
,,
,/
,=
,9
,(
,*
,>
,?
,:
/)
/,
//
/=
/9
/(

Risk Assessment Instructions

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Risk Assessment Instructions

Încărcat de

Drepturi de autor:

Formate disponibile

COMMONWEALTH OF VIRGINIA

Information Technology Resorce Management

S-ar putea să vă placă și